

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                            |                                                                     |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|---------------------------------------------------------------------|
| FORM PTO-1390<br>(REV. 5-93)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | U S. DEPARTMENT OF COMMERCE<br>PATENT AND TRADEMARK OFFICE | ATTORNEY'S DOCKET NUMBER<br>10191/1923                              |
| <b>TRANSMITTAL LETTER TO THE UNITED STATES<br/>DESIGNATED/ELECTED OFFICE (DO/EO/US)<br/>CONCERNING A FILING UNDER 35 U.S.C. 371</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                            | U.S. APPLICATION NO. (If known, see 37 CFR 1.5)<br><b>09/889730</b> |
| INTERNATIONAL APPLICATION NO.<br>PCT/DE00/00157                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | INTERNATIONAL FILING DATE<br>(18.01.00)<br>18 January 2000 | PRIORITY DATE(S) CLAIMED<br>(20.01.99)<br>20 January 1999           |
| TITLE OF INVENTION<br><b>CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                            |                                                                     |
| APPLICANT(S) FOR DO/EO/US<br><b>DOMINKE, Peter; PFEIFFER, Wolfgang; HARTER, Werner; and LINDENKREUZ, Thomas</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                            |                                                                     |
| Applicant(s) herewith submit to the United States Designated/Elected Office (DO/EO/US) the following items and other information                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                            |                                                                     |
| <p>1. <input checked="" type="checkbox"/> This is a <b>FIRST</b> submission of items concerning a filing under 35 U.S.C. 371.</p> <p>2. <input type="checkbox"/> This is a <b>SECOND</b> or <b>SUBSEQUENT</b> submission of items concerning a filing under 35 U.S.C. 371.</p> <p>3. <input checked="" type="checkbox"/> This is an express request to begin national examination procedures (35 U.S.C. 371(f)) immediately rather than delay examination until the expiration of the applicable time limit set in 35 U.S.C. 371(b) and PCT Articles 22 and 39(1).</p> <p>4. <input checked="" type="checkbox"/> A proper Demand for International Preliminary Examination was made by the 19th month from the earliest claimed priority date.</p> <p>5. <input checked="" type="checkbox"/> A copy of the International Application as filed (35 U.S.C. 371(c)(2))</p> <ol style="list-style-type: none"> <li><input type="checkbox"/> is transmitted herewith (required only if not transmitted by the International Bureau).</li> <li><input checked="" type="checkbox"/> has been transmitted by the International Bureau.</li> <li><input type="checkbox"/> is not required, as the application was filed in the United States Receiving Office (RO/US)</li> </ol> <p>6. <input checked="" type="checkbox"/> A translation of the International Application into English (35 U.S.C. 371(c)(2)).</p> <p>7. <input checked="" type="checkbox"/> Amendments to the claims of the International Application under PCT Article 19 (35 U.S.C. 371(c)(3))</p> <ol style="list-style-type: none"> <li><input type="checkbox"/> are transmitted herewith (required only if not transmitted by the International Bureau).</li> <li><input type="checkbox"/> have been transmitted by the International Bureau.</li> <li><input type="checkbox"/> have not been made; however, the time limit for making such amendments has NOT expired.</li> <li><input checked="" type="checkbox"/> have not been made and will not be made.</li> </ol> <p>8. <input type="checkbox"/> A translation of the amendments to the claims under PCT Article 19 (35 U.S.C. 371(c)(3)).</p> <p>9. <input checked="" type="checkbox"/> An oath or declaration of the inventor(s) (35 U.S.C. 371(c)(4)) (unsigned).</p> <p>10. <input checked="" type="checkbox"/> A translation of the annexes to the International Preliminary Examination Report under PCT Article 36 (35 U.S.C. 371(c)(5)).</p> |                                                            |                                                                     |
| <b>Items 11. to 16. below concern other document(s) or information included:</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                            |                                                                     |
| <p>11. <input checked="" type="checkbox"/> An Information Disclosure Statement under 37 CFR 1.97 and 1.98.</p> <p>12. <input type="checkbox"/> An assignment document for recording. A separate cover sheet in compliance with 37 CFR 3.28 and 3.31 is included.</p> <p>13. <input checked="" type="checkbox"/> A <b>FIRST</b> preliminary amendment.</p> <p><input type="checkbox"/> A <b>SECOND</b> or <b>SUBSEQUENT</b> preliminary amendment.</p> <p>14. <input checked="" type="checkbox"/> A substitute specification and a marked-up version of the substitute specification.</p> <p>15. <input type="checkbox"/> A change of power of attorney and/or address letter.</p> <p>16. <input checked="" type="checkbox"/> Other items or information: International Search Report (translated), International Preliminary Examination Report (translated) and Form PCT/RO/101.</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                            |                                                                     |

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                |                                                                             |            |      |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|-----------------------------------------------------------------------------|------------|------|
| U.S. APPLICATION NO if known, see<br>37 C.F.R.1.5<br><b>09/889730</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | INTERNATIONAL APPLICATION NO<br>PCT/DE00/00157 | ATTORNEY'S DOCKET NUMBER<br>10191/1923                                      |            |      |
| 17. <input checked="" type="checkbox"/> The following fees are submitted:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                | <input type="checkbox"/> CALCULATIONS <input type="checkbox"/> PTO USE ONLY |            |      |
| <b>Basic National Fee (37 CFR 1.492(a)(1)-(5)):</b><br>Search Report has been prepared by the EPO or JPO . . . . . \$860.00<br><br>International preliminary examination fee paid to USPTO (37 CFR 1.482) . . . . . \$690.00<br><br>No international preliminary examination fee paid to USPTO (37 CFR 1.482) but<br>international search fee paid to USPTO (37 CFR 1.445(a)(2)) . . . . . \$710.00<br><br>Neither international preliminary examination fee (37 CFR 1.482) nor international<br>search fee (37 CFR 1.445(a)(2)) paid to USPTO . . . . . \$1,000.00<br><br>International preliminary examination fee paid to USPTO (37 CFR 1.482) and all<br>claims satisfied provisions of PCT Article 33(2)-(4) . . . . . \$100.00 |                                                |                                                                             |            |      |
| <b>ENTER APPROPRIATE BASIC FEE AMOUNT =</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                | \$ 860                                                                      |            |      |
| Surcharge of \$130.00 for furnishing the oath or declaration later than <input type="checkbox"/> 20 <input type="checkbox"/> 30 months<br>from the earliest claimed priority date (37 CFR 1.492(e)).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                | \$                                                                          |            |      |
| Claims                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Number Filed                                   | Number Extra                                                                | Rate       |      |
| Total Claims                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 18 - 20 =                                      | 0                                                                           | X \$18.00  | \$ 0 |
| Independent Claims                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 2 - 3 =                                        | 0                                                                           | X \$80.00  | \$ 0 |
| Multiple dependent claim(s) (if applicable)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                |                                                                             | + \$270.00 | \$ 0 |
| <b>TOTAL OF ABOVE CALCULATIONS =</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                | \$ 860                                                                      |            |      |
| Reduction by 1/2 for filing by small entity, if applicable. Verified Small Entity statement must<br>also be filed. (Note 37 CFR 1.9, 1.27, 1.28).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                | \$                                                                          |            |      |
| <b>SUBTOTAL =</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                | \$ 860                                                                      |            |      |
| Processing fee of \$130.00 for furnishing the English translation later than <input type="checkbox"/> 20 <input type="checkbox"/> 30<br>months from the earliest claimed priority date (37 CFR 1.492(f)).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                | +                                                                           | \$         |      |
| <b>TOTAL NATIONAL FEE =</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                | \$ 860                                                                      |            |      |
| Fee for recording the enclosed assignment (37 CFR 1.21(h)). The assignment must be<br>accompanied by an appropriate cover sheet (37 CFR 3.28, 3.31). \$40.00 per property                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                | +                                                                           | \$         |      |
| <b>TOTAL FEES ENCLOSED =</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                | \$ 860                                                                      |            |      |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                | Amount to be:<br>refunded                                                   | \$         |      |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                | charged                                                                     | \$         |      |
| a. <input type="checkbox"/> A check in the amount of \$ _____ to cover the above fees is enclosed.<br>b. <input checked="" type="checkbox"/> Please charge my Deposit Account No. <u>11-0600</u> in the amount of \$860.00 to cover the above fees. A duplicate copy of this<br>sheet is enclosed.<br>c. <input checked="" type="checkbox"/> The Commissioner is hereby authorized to charge any additional fees which may be required, or credit any overpayment to Deposit<br>Account No. <u>11-0600</u> . A duplicate copy of this sheet is enclosed.                                                                                                                                                                             |                                                |                                                                             |            |      |
| <b>NOTE:</b> Where an appropriate time limit under 37 CFR 1.494 or 1.495 has not been met, a petition to revive (37 CFR 1.137(a) or (b)) must<br>be filed and granted to restore the application to pending status.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                |                                                                             |            |      |
| SEND ALL CORRESPONDENCE TO:<br><br><br>Richard L. Mayer, Reg. No. 22,490<br>NAME                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                |                                                                             |            |      |
| <b>CUSTOMER NO. 26646</b><br><br><br>Kenyon & Kenyon<br>One Broadway<br>New York, New York 10004<br><br>DATE <u>7/19/2001</u>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                |                                                                             |            |      |

[10191/1923]

**IN THE UNITED STATES PATENT AND TRADEMARK OFFICE**

Applicant(s) : Peter DOMINKE et al.  
Serial No. : To Be Assigned  
Filed : Herewith  
For : CONTROL UNIT FOR CONTROLLING  
SAFETY-CRITICAL APPLICATIONS  
Art Unit : To Be Assigned  
Examiner : To Be Assigned

Assistant Commissioner  
for Patents  
Washington, D.C. 20231

**PRELIMINARY AMENDMENT AND**  
**37 C.F.R. § 1.125 SUBSTITUTE SPECIFICATION STATEMENT**

SIR:

Please amend without prejudice the above-identified application before examination, as set forth below.

**IN THE TITLE:**

Please amend without prejudice the title to be:

--CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS--.

**IN THE SPECIFICATION AND ABSTRACT:**

In accordance with 37 C.F.R. § 1.121(b)(3), a Substitute Specification (including the Abstract, but without claims) accompanies this response. It is respectfully requested that the Substitute Specification (including Abstract) be entered to replace the Specification of record.

**IN THE CLAIMS:**

Without prejudice, please cancel original claims 1 to 18 and substitute claim 12, and please add new claims 19 to 36 as follows:

EL244504550

--19. (New) A control unit for controlling a safety-critical application, the control unit comprising:

    a microcomputer;

    a monitoring unit including a first arrangement for measuring a quiescent current of the microcomputer, and including a second arrangement for applying a test data input signal, for processing test data output signals and for comparing a corresponding test data output signal of the microcomputer to a corresponding test data output signal of the monitoring unit;

    at least one quiescent current handshake line running between the first arrangement and the microcomputer for controlling the measuring of the quiescent current;

    at least one test data signal transmission line running between the second arrangement and the microcomputer; and

    peripheral circuits.

20. (New) The control unit of claim 19, wherein:

    the first arrangement includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control, and a control system of the monitoring unit;

    the at least one quiescent current handshake line includes two handshake lines running from the IDDQ measuring run control to the microcomputer;

    the first arrangement and the microcomputer are coupled by the two handshake lines and at least one voltage supply line running from the voltage supply to the microcomputer; and

    at least one of the at least one voltage supply line runs through the IDDQ measuring circuit.

21. (New) The control unit of claim 20, wherein the at least one voltage supply line includes two voltage supply lines running between the voltage source and the microcomputer, and one of the two voltage supply lines runs through the IDDQ measuring circuit.

22. (New) The control unit of claim 19, wherein:

    the first arrangement includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control, and a control system of the monitoring unit;

the at least one quiescent current handshake line includes two handshake lines running from the IDDQ measuring run control to the microcomputer; and at least one voltage supply line running from the voltage supply to the microcomputer, at least one of the at least one voltage supply line running through the IDDQ measuring circuit.

23. (New) The control unit of claim 20, wherein the first arrangement includes an initialization circuit for receiving an initialization signal from the voltage source after the control unit is switched on, and for subsequently transmitting an enable signal to the IDDQ measuring run control to enable an IDDQ measurement.

24. (New) The control unit of claim 19, wherein:

the second arrangement includes a test data signal generator for applying the test data input signal to the microcomputer, a response generator for processing the test data input signal and for forming the corresponding test data output signal, a test data register for receiving the test data input signal and for transmitting the corresponding test data output signal, and a comparator for comparing the corresponding test data output signal of the microcomputer to the corresponding test data output signal of the monitoring unit; and

the at least one test data transmission line runs between the test data register of the second arrangement and the microcomputer.

25. (New) The control unit of claim 24, wherein the at least one test data transmission line includes two test data transmission lines.

26. (New) The control unit of claim 24, wherein the second arrangement includes a trigger generator for determining an instant at which the corresponding test data output signal of the microcomputer is available at the comparator, the microcomputer being error-free.

27. (New) The control unit of claim 24, wherein the second arrangement includes an error counter for counting an error if at least one of the following is satisfied: the corresponding test data output signal of the microcomputer is not consistent with the corresponding test data output

signal of the monitoring unit; and the corresponding test data output signal of the microcomputer is available at the comparator at a different instant than one determined by the trigger generator.

28. (New) The control unit of claim 27, wherein there is a plurality of response thresholds for use with the error counter, and a different reaction results by exceeding each response threshold of the plurality of response thresholds results.
29. (New) The control unit of claim 25, wherein the first arrangement includes an initialization circuit for receiving an initialization signal from the voltage source after the control unit is switched on, for subsequently synchronizing the monitoring unit with the microcomputer, and for then activating the test data signal generator and the error counter.
30. (New) A method for testing a microcomputer of a control unit for controlling safety-critical applications, the control unit including the microcomputer, a monitoring unit, and peripheral circuits, the method comprising:
  - measuring a quiescent current of the microcomputer, the measuring of the quiescent current being controlled by the monitoring unit;
  - exchanging at least one handshake signal between the microcomputer and the monitoring unit;
  - applying a test data input signal to the microcomputer;
  - determining a first test data output signal; and
  - comparing a second test data output signal of the microcomputer to the first test data output signal of the monitoring unit.
31. (New) The method of claim 30, wherein a quiescent current measurement corresponds to an IDDQ measurement.
32. (New) The method of claim 31, wherein the IDDQ measurement is performed after the control unit is switched on after being enabled by an enable signal.

33. (New) The method of claim 31, wherein the second test data output signal of the microcomputer is compared to the first test data output signal of the monitoring unit while the control unit is operating.

34. (New) The method of claim 31, wherein a clock generator is stopped by the microcomputer during at least one of: the IDDQ measurement; and the comparing of the second test data output signal of the microcomputer with the first test data output signal of the monitoring unit.

35. (New) The method of claim 31, wherein the test data input signal of the monitoring unit is generated by a test data signal generator via a feedback shift register.

36. (New) The method of claim 35, wherein the test data output signal of the monitoring unit is generated by a response generator using a Reed-Muller code.--.

**Remarks**

This Preliminary Amendment cancels without prejudice original claims 1 to 18 and substitute claim 12 in the underlying PCT Application No. PCT/DE00/00157, and adds without prejudice new claims 19 to 36. The new claims conform the claims to U.S. Patent and Trademark Office rules and do not add new matter to the application.

In accordance with 37 C.F.R. § 1.121(b)(3), the Substitute Specification (including the Abstract, but without the claims) contains no new matter. The amendments reflected in the Substitute Specification (including Abstract) are to conform the Specification and Abstract to U.S. Patent and Trademark Office rules or to correct informalities. As required by 37 C.F.R. § 1.121(b)(3)(iii) and § 1.125(b)(2), a Marked Up Version Of The Substitute Specification comparing the Specification of record and the Substitute Specification also accompanies this Preliminary Amendment. In the Marked Up Version, shading indicates added text and brackets indicated deleted text. Approval and entry of the Substitute Specification (including Abstract) is respectfully requested.

The underlying PCT Application No. PCT/DE00/00157 includes an International Search Report, dated June 14, 2000. The Search Report includes a list of documents that were uncovered in the underlying PCT Application. A copy of the Search Report accompanies this Preliminary Amendment.

The underlying PCT application also includes an International Preliminary Examination Report, dated May 16, 2001, and an annex (including Revised/Substitute Claim 12). An English translation of the International Preliminary Examination Report and the annex accompanies this Preliminary Amendment.

Applicants assert that the subject matter of the present application is new, non-obvious, and useful. Prompt consideration and allowance of the application are respectfully requested.

Dated: 7/19/2001

Respectfully Submitted,  
KENYON & KENYON  
By: Richard L. Mayer  
Richard L. Mayer  
(Reg. No. 22,490)

(By Richard L. Mayer  
Reg. No. 22,490  
33,865  
Dated 7/19/2001)

One Broadway  
New York, NY 10004  
(212) 425-7200

**CUSTOMER NO. 26646**

392497

CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS

FIELD OF THE INVENTION

The present invention relates to a control unit for controlling safety-critical applications, having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO). Furthermore, the present invention relates to a method for checking a microcomputer (MC) of a control unit for controlling safety-critical applications, the control unit having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO).

BACKGROUND INFORMATION

In control units that control or regulate applications or functions that are critical with regard to safety, errors of the microcomputer (MC) or of a processor of the microcomputer may be detected by monitoring. Such control units having safety tasks are used, for example, for anti-lock braking systems, for traction control systems, and/or for electronic stability programs. The safety-critical applications controlled by the control unit are connected to the control unit via the peripheral circuits. In the case of single-computer control units, methods having a self-test, plausibility check, and watchdog may be available.

For testing CMOS chips (integrated circuits, IC) at the manufacturer, methods and measuring devices for measuring the quiescent current are used. The background of the so-called

SUBSTITUTE SPECIFICATION

8L244504550

quiescent current test is that in a digital CMOS chip in  
purely static logic, it is believed that almost the entire  
power loss during the switching operations occurs in its  
interior. In the rest state, the current flow is restricted to  
5 tiny leakage currents as well as to currents through pullup  
resistors or pulldown resistors at the inputs and through  
external loads at the output drivers.

It is believed that various production-dependent errors may  
10 lead to increased conductivity between the positive and  
negative supply voltage, and that activating such defective  
regions (point defects) of the circuit causes the current  
consumption to increase abruptly. Such defects may be  
ascertained by a highly exact measurement of the current  
consumption during the test operation and a comparison to  
corresponding setpoint values. As already stated, such a  
quiescent current measurement may be used in the manufacture  
of CMOS chips to sort out the defective chips after the  
manufacturing process.

20 The quiescent current test method, which is believed to be  
available for use in the manufacturing of computer modules for  
the control units (as referred to above), to test the computer  
modules during their normal operation for detecting what may  
25 be the most frequent defects in the computer modules, in  
particular in the microcomputer (MC), e.g. lock-up errors  
(stuck-at), bridge errors (bridging), and/or interrupt errors  
(stuck-open).

30 An available approach for increasing reliability in the case  
of control units (as referred to above) involves providing two  
MCs, which reciprocally test one another by parallel computing  
and/or plausibility checks. However, cost considerations may

suggest using only one MC for such control units.

SUMMARY OF THE INVENTION

An object of an exemplary method and/or exemplary embodiment  
5 of the present invention is to provide a control unit in which  
the reliability of the error detection is improved, and the  
detection is expanded to additional types of errors.

In an exemplary embodiment of the present invention, the  
10 monitoring unit (CU) has a first apparatus, arrangement or  
structure for measuring the quiescent current of the  
microcomputer (MC), at least one handshake line for  
controlling the measurement of the quiescent current runs  
between the first apparatus, arrangement or structure of the  
CU and the MC, the CU has a second apparatus, arrangement or  
structure for applying a test data input signal to the MC to  
process the test data input signal and compare the  
corresponding test data output signal of the MC to the  
corresponding test data output signal of the CU, and at least  
20 one test data signal transmission line runs between the second  
apparatus, arrangement or structure of the CU and the MC.

In accordance with the exemplary embodiment and/or exemplary  
method of the present invention, the reliability of the error  
25 detection can be increased by using two different test methods  
that supplement one another. In this manner, it is believed  
that a significantly greater number of different error types  
of the computer modules of the MC can be detected.

30 The control unit according to the exemplary embodiment of the  
present invention can also have a plurality of MCs and a  
plurality of CUs. However, the following assumes that the  
control unit has one MC and one CU. The CU of the control unit

according to the exemplary embodiment of the present invention has a first apparatus, arrangement or structure for measuring the quiescent current of the MC.

5 At least one handshake line for controlling the measurement of the quiescent current runs between the first apparatus, arrangement or structure of the CU and the MC. The handshake line can, for example, be a bidirectional line.

10 After the control unit is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected commands within the framework of a test program. For example, 14 selected commands containing an internal machine cycle are processed for microcomputer TMS470.

15 To supplement the quiescent current measurement, the CU of the control unit according to the exemplary embodiment of the present invention has a second apparatus, arrangement or structure. At least one transmission line for test data signals runs between the second apparatus, arrangement or structure of the CU and the MC.

20 The second apparatus, arrangement or structure applies a test data signal to the MC. The MC calculates a test data output signal, which is dependent upon the test data input signal and the states inside the MC. Defective states result in a changed test data output signal of the MC.

25 In the second apparatus, arrangement or structure of the CU, the test data input signal is also processed to form a test data output signal that is used as a reference signal for checking the test data output signal of the MC. When calculating the test data output signal, the CU assumes an

error-free, functioning MC. The completed calculation may have a "very simple" design.

The microcomputer does not have a double design, and the same 5 computation is not carried out by the CU as by the MC, as is the case for parallel computer systems. Rather, starting from the input data of a predefined test function, the MC calculates the output data whose results are checked by the CU using the reference signal calculated by it. The test function used for calculating the output data may be "very simple" in 10 its implementation. The calculation only requires minimal computing time. However, complex tests and results from the application programs can also be included in this test function.

Finally, the test data output signal of the CU is compared to 15 the test data output signal of the MC. If they deviate from one another, or if the deviation exceeds a predetermined threshold value, the CU recognizes an error of the MC. The 20 test result can be displayed by a display device and/or it can be provided that upon occurrence of an error, and the system may be controlled and/or regulated by the control unit to be switched off.

According to another exemplary embodiment of the present 25 invention, the first apparatus, arrangement or structure includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and that the connection between the first apparatus, 30 arrangement or structure, and the MC includes two handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through

{or across} the IDDQ measuring circuit. In semiconductors, IDD designates the positive supply current. IDDQ designates the quiescent current. The handshake lines are, for example, configured as START and END handshake lines for starting and acknowledging the completion of the functional test.

The communication between the MC and the CU for measuring the quiescent current is carried out via the two handshake lines. The quiescent current of the MC is measured by the CU via the separate voltage supply lines.

As stated, the exemplary embodiment of the present invention relates to a control unit having a monitoring unit for checking the microcomputer of the control unit. A voltage supply unit is provided for supplying voltage to the control unit and, as such, also to the microcomputer. The control unit of the CU includes an apparatus, arrangement or structure that can bring the MC into specific operating states.

Furthermore, the IDDQ measuring circuit includes a measuring apparatus, arrangement or structure that ascertains the current or voltage in the voltage supply circuit of the MC, whereupon the determined current or the determined voltage may be compared in a comparison apparatus, arrangement or structure, also present in the IDDQ measuring circuit, to at least one predefined threshold value.

By measuring the current or voltage, a plurality of possible errors in the computer can be ascertained using the IDDQ measurement. In this context, it is believed that what may be the most frequent errors in the components of the MC can be substantially covered using a minimum of test steps. Such errors can be lock-up errors (stuck-at), bridge errors

(bridging), and/or interrupt errors (stuck-open).

As a result of the combination of the quiescent current measurement and another suitable checking method, in particular including a check of the functionality of the MC based on test data records, it is believed that errors may be widely covered with respect to the significant errors in computer modules, in particular in CMOS processors, in a way that may be particularly advantageous for safety-critical applications.

The abovementioned elimination of the second processor is largely retained so as to provide an economic advantage of the control unit according to the exemplary embodiment of the present invention, since the quiescent current measurement according to the exemplary embodiment of the present invention may only require a minimal hardware expenditure.

By specially controlling the MC, the IDDQ-MAS brings predetermined components of the MC into a low-current state. The background of this control involves the fact that components present in the MC may require a relatively high current. Since, as stated at the outset, the quiescent current measurement may be based on fluctuations in the quiescent current within relatively small bandwidths, the high current consumption of the MC components interfere with the IDDQ measurement. In particular, the components to which the IDDQ measurement does not apply are brought into a low-current state. Such components can be the MC output stage and/or an input stage (e.g. analog/digital converter), as well as circuits for internally multiplying the clock pulse.

In the simplest case, the components having high current

consumption are switched off during the test. Thus, internal circuit elements and circuit outputs that carry high currents are switched off. Subsequently, the quiescent current can be measured.

5

In addition to switching off the components of the MC having high current as mentioned above, the core of the MC may be brought into a state of low current consumption. In the case of such MC modules configured specifically for the quiescent current measurement, a special operating state, a so-called 10 IDDQ test mode, may be provided. In this operating state, all currents inside of the computer are switched off, i.e., the current in the MC core is minimized.

25 The IDDQ design is such that standard errors in the MC core become noticeable as an increase in the quiescent current. Thus, for example, short-circuit errors and/or stuck-at errors (short circuit to ground or the supply voltage) are "immediately" or quickly manifested in an increase in the 20 quiescent current. In this context, it is not believed to be necessary to pass on (to propagate) the effect of such an error to the outputs of the MC. The increased current consumption is the immediate error indicator.

25 In addition to the IDDQ test mode described above, it can be provided that only the MC components having a high current are switched off, and, in response to a command, the MC enters a defined low-current state. In this context, the MC core does not have to be specially configured for the IDDQ test mode.

30 This is called the power-down mode.

The power-down mode is initiated by loading internal components of the computer, such as the register and memory,

with certain patterns, and by bringing the abovementioned computer components into a state of low current consumption, e.g., by executing a certain computer command. If this state is achieved, a clock generator can be selectively switched off or disconnected. Subsequently, the quiescent current or a corresponding voltage value is measured and compared to a threshold value corresponding to the above-set operating state (power-down state) of the MC core. If certain errors are present in the computer (stuck-at errors, bridging errors, stuck-open errors), the result may be an increase in the quiescent current or in the voltage drop caused by the quiescent current.

After such a test step, additional test steps can follow in that the power-down mode is first exited by applying certain signal levels to specific connections of the MC. By again starting or switching on the clock generator, the internal computer components, such as the register and the memory, are loaded with additional patterns, and the abovementioned components are again brought into a low-current state, e.g., by executing a specific computer command (power-down command). The above-described measurement of the quiescent current then follows. As a result of a plurality of such consecutively performed measurements of the power-down current, errors in the registers, memories, and components of the computer core may be ascertained in an increasingly more complete manner.

According to the exemplary computer and exemplary circuit, the individual test steps are ended by re-enabling the clock generator, by triggering a reset, or by triggering an external interrupt. After the last test step, the MC runs again in its normal operating mode (normal operation).

In addition to the above-described quiescent current measurement in the power-down mode, provision is also made in accordance with the exemplary embodiment of the present invention for the quiescent current to be measured in the indicated IDDQ test mode (provided the computer to be checked is suitably configured). The start of the IDDQ test mode is initiated by changing the signal level at a connection of the MC, for example. Also in this context, the register and memory are loaded with certain patterns prior to entering the IDDQ test mode.

卷之三十五

Upon entering the IDDQ test mode, the computer components having high current consumption are switched off. Furthermore, by discontinuing or decoupling the time pulse while executing a command, the computer core can be kept in a state "typical" for this command. These commands are selected so that they adjust the states of the internal circuit nodes of the computer core so that as many errors as possible or at least more errors can be detected via the quiescent current measurement.

The handshake for the quiescent current measurement is carried out or performed in a number of steps:

25 S1: The MC sets the START signal to HIGH. Consequently, the CU knows that an IDDQ measurement is beginning.

S2: The MC can selectively prepare to stop the time pulse (master clock, MCLK), in that it sets a signal PREP to LOW via an internal command.

30 S3: The MC decodes the precisely defined instant within the next suitable command for the IDDQ test and also sets a signal DEKOD to LOW. Now the MCLK is set equal to LOW, and the digital component of the MC is set to static

operation for the IDDQ measurement.

S4: The CU performs the IDDQ measurement.

S5: The CU outputs the level sequence LOW-HIGH-LOW at the signal END, thereby reactivating the MCLK.

5 S6: The MC becomes active again and confirms the end of the measurement by setting the START signal to LOW. The MC continues the program and prepares the next IDDQ measurement or ends the IDDQ measurement when all measurements have been carried out.

10 Two voltage supply lines may run between the voltage supply and the MC, one voltage supply line running through the IDDQ measuring circuit. The quiescent current of the MC is measured via the voltage supply line that runs through the IDDQ measuring circuit.

20 According to another exemplary embodiment of the control unit according to the present invention, the first apparatus, arrangement or structure includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and the connection between the first apparatus, arrangement or structure and the MC includes four handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through the IDDQ measuring circuit.

25

30 In the case of four handshake lines, a time-pulse (CLK) line and a line for a power-down (PWRDN) control can be provided for the MC in addition to the lines START, END in the case of two handshake lines. In this exemplary embodiment of the control unit, a shared voltage supply line to the processor is sufficient, the quiescent current being measured in the

voltage supply line. The clock generator is then stopped in the CU. The control of voltage supply circuits for analog circuits and IO circuits in the MC is carried out or performed via the PWRDN line from the CU. As such, only the quiescent current of the digital component of the MC flows in the measuring case through the shared voltage supply line.

Advantageously, the first apparatus, arrangement or structure includes an initialization circuit, which receives an initialization signal from the voltage supply after the control unit is switched on and subsequently transmits an enable signal to the IDDQ-MAS to enable the IDDQ measurement. The successful completion of the IDDQ measurement is signaled by an additional signal to the control system of the CU. Consequently, the CU advances the test run in that the initialization circuit enables the test data signal generator via an additional signal.

According to another exemplary embodiment of the present invention, the second apparatus, arrangement or structure includes a test data signal generator for applying a test data input signal to the MC, a response generator for processing the test data input signal and for forming a corresponding test data output signal, a test data register for transmitting and receiving test data, and a comparator for comparing the test data output signal of the MC to the test data output signal of the CU. The connection between the second apparatus, arrangement or structure and the MC includes at least one test data transmission line, which runs between the test data register and the MC. Advantageously, two test data transmission lines may run between the test data register and the MC.

The test data signal generator is also activated by the initialization circuit after the control unit is enabled. In the test data signal generator, the test data for the MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller codes, the bit string for the test data output signal (the so-called reference signal) is formed in the response generator, for every test data input signal. This code is used to maintain a distance that is as great as possible in the space of numbers of the test data output signals (hamming distance). In the comparator, the theoretically calculated test data output signal from the response generator of the CU is then compared to the actual test data output signal of the MC from the test data register.

The second apparatus, arrangement or structure may also include a trigger generator, which determines the instant at which the test data output signal of the MC is available at the comparator, in the case of an error-free MC. The trigger generator stipulates the instant of the comparison of the determined test data output signal of the MC and the actual response of the CU. As a result, it is at least better ensured that the time slices in the MC proceed correctly. The comparator not only checks the test data output signal for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window.

Advantageously, the second apparatus, arrangement or structure includes an error counter, which counts up or down, if the test data output signal of the MC is not consistent with the test data output signal of the CU, and/or if the test data output signal of the MC is available at the comparator at an instant that differs from the one determined by the trigger

generator. By a counting pulse, the comparator causes the error counter to count up or down. If the value and instant of the test data output signal are correct, the error counter is decremented, for example. If the error counter falls below a predefined value, an external warning light, for example, is switched on or off via a signal interface, and a relay for manipulating the safety-critical application is enabled.

The manipulation of the application to be controlled may be limited to discontinuing the application. In the case of special applications, it can, however, be useful for the error counter to have a plurality of response thresholds, exceeding the response threshold resulting in a different reaction in each case. As a result, the application can be prevented from being immediately interrupted in the case of a singular disturbance, and the disabling path can be checked by the computer.

If the MC responds to a test data input signal at the wrong instant or with an incorrect value, the same test data input signal is applied to the MC again until the instant and value of the test data output signal are correct. If this does not occur with a predefined time period, the CU switches off the control unit or the application, and it cannot be re-activated even by correct responses.

The second apparatus, arrangement or structure may include an initialization circuit, which receives an initialization signal from the voltage source after the control unit is enabled, subsequently synchronizes the CU with the MC, and then activates the test data signal generator and the error counter. The CU is synchronized with the MC in that the CU waits for the first data transmission of the MC.

An additional object of the exemplary embodiment of the present invention is to provide a method for checking a microcomputer so that the reliability of the error detection may be improved, and the detection may be expanded to  
5 additional types of errors.

To achieve this object, in the exemplary method of the present invention, the CU of the control unit measures the quiescent current of the MC and applies a test data input signal to the  
10 MC, determines a first test data output signal, and compares a second test data output signal of the MC to the first test data output signal of the CU.

Advantageously, the quiescent current measurement is in the form of an IDDQ measurement. The IDDQ measurement may be carried out or performed after the control unit is switched on  
15 after being enabled by an enable signal.

According to another exemplary method according to the present invention, the second test data output signal of the MC is compared to the first test data output signal of the CU while the control unit is in operation. This may have the advantage  
20 that the control unit does not have to be switched off to test the functionality of the microcomputer. Rather, MC computing power not used for controlling the application can be used to  
25 check the MC while the control unit is in operation.

A false test data output signal may be transmitted one time at regular intervals to the CU while the control unit is in  
30 operation to check the functionality of the disabling path.

Another exemplary embodiment of the present invention involves the fact that a clock generator is stopped by the MC during

the IDDQ measurement and/or while the second test data output signal of the MC is being compared to the first test data output signal of the CU. The clock generator is provided in the control system of the CU. The internal computer operations 5 in particular are controlled as a function of the output signal of this clock generator. In the described IDDQ test mode, it is provided that this clock generator is switched off or disabled or disconnected from the MC. This can also be carried out or performed in the power-down mode when a particularly low quiescent current is to be achieved. The 10 clock generator is switched off or disabled or disconnected especially at the start of every quiescent current measurement.

15 The test data input signal of the CU may be generated by a test data signal generator, via a feedback shift register. The test data output signal of the CU may be generated by a response generator, with the aid of the Reed-Muller code.

20 The exemplary control unit according to the present invention can be checked by two different test runs. A so-called start-up test is carried out immediately following the switching on of the control unit and prior to the operation of the control unit for controlling or regulating the 25 safety-critical application. After the start-up test, a so-called online test is carried out or performed from time to time while the control unit is in operation.

30 The start-up test is subdivided into two test segments, the so-called processor initialization segment (Proz-Init) and the subsequent so-called operating system initialization segment (BS-Init). The processor initialization segment includes a command test and a core test, a RAM/ROM test, and an IDDQ

test. The operating system initialization segment includes a start-up control and a test of the CU. In the start-up control, different input values are tested on the control unit (e.g. a certain speed pattern of the wheels of a vehicle, as can typically occur at the input of an ABS control unit of the vehicle). The control unit carries out a regulation or control of the application based on the input values. The result of the simulated regulation or control is compared to corresponding setpoint values. When testing the CU, a defective MC is simulated, and the reaction of the CU to the defect is checked.

The online test has a command test and a core test, a RAM/ROM test, a test of the CU, and a replication test. In the replication test, double memory spaces are provided for certain safety-critical variables, and certain safety-critical calculations are carried out twice. The contents of the double memory spaces and the results of the double calculations are compared to one another. The redundant storing and the redundant calculation are carried out by a processor of the control unit.

Furthermore, the online test has a plausibility check in which control signals or regulation signals determined by the MC are checked for plausibility. In the case of an ABS control unit, one can, for example, check whether the speed, the acceleration, or the deceleration are within certain limits. Moreover, the values of the individual wheels of the vehicle must be in a certain relation to one another, which can also be checked. Finally, the online test has another operating system test and a test of the remaining monitoring units of the control unit.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 shows a schematic block diagram of an exemplary control unit according to the present invention.

5 Figure 2 shows a more detailed view of a block diagram of the control unit from Fig. 1.

Figure 3 shows an exemplary circuit configuration for a quiescent current measurement including a two-wire handshake.

10 Figure 4 shows a timing diagram of the measuring run control for the quiescent current from Figure 3.

DETAILED DESCRIPTION

Figure 1 shows a schematic block diagram of an exemplary control unit according to the present invention. Reference numeral 1 designates the exemplary control unit according to the present invention in its entirety. Control unit 1 is used to control safety-critical applications, e.g. for anti-lock (braking) systems, for traction control systems, and/or for electronic stability programs.

Control unit 1 has a microcomputer MC, a monitoring unit (CU, check unit), and peripheral circuits (IO, input/output).

25 Microcomputer MC, monitoring unit CU, and peripheral circuits IC are connected in series via a serial synchronous databus 2. Via its data output line MC\_Dout, microcomputer MC transmits the data output signals through databus 2 to the bus users and simultaneously receives the data input signals via its data input line MC\_Din. Using the signal SAM (sample), the bus users store the data received in their storage registers.

30 There are additional connecting lines between microcomputer MC

and monitoring unit CU, namely a shared supply line VDD or alternatively, a plurality of supply lines VDD for a digital and analog supply of microcomputer MC. Finally, IDDQ handshake line IDDQ-HDSHK, which are used for controlling the quiescent 5 current measurement (IDDQ measurement) of microcomputer MC, run between microcomputer MC and monitoring unit CU. So-called disabling paths 3 lead from monitoring unit CU to external warning lamps and/or relays to manipulate the safety-critical applications to be controlled, depending on whether monitoring 10 unit CU detects an error of microcomputer MC. Peripheral circuits IO have connecting lines 4 to safety-critical application 5 to be controlled.

After control unit 1 is switched on, the quiescent current is measured to check the functionality of microcomputer MC. While control unit 1 is in operation, the functionality of microcomputer MC is checked in that it regularly receives test data records, and the corresponding second test data output signal of the MC is compared to an error-free first test data 20 output signal calculated by monitoring unit CU.

Figure 2 shows a detailed overview of a block diagram of the control unit 1 from Figure 1. Monitoring unit CU includes a control system 6 of monitoring unit CU, a measuring run 25 control 7 for the IDDQ measurement, an IDDQ measuring circuit 8, and a voltage supply 9. Control system 6 of monitoring unit CU includes a test data signal generator 10, a response generator 11, and a comparator 12. With the aid of test data signal generator 10, a test data input signal is applied to microcomputer MC, and the microcomputer determines a second 30 test data output signal as a function of the test data input signal and its own internal states.

Response generator 11 processes the same test data input signal and forms a corresponding first test data output signal. In comparator 12, the first test data output signal of monitoring unit CU is compared to the second test data output signal of microcomputer MC. A trigger generator 13 determines the instant at which the second test data output signal of microcomputer MC is available at comparator 12, given an error-free, functioning microcomputer MC.

Control system 6 of monitoring unit CU further has an error counter 14, which counts an error, if the second test data output signal of microcomputer MC is not consistent with the first test data output signal of monitoring unit CU, and/or if the second test data output signal of microcomputer MC is available at comparator 12 at a different instant than the one determined by trigger generator 13.

Furthermore, control system 6 of monitoring unit CU has a test data register 17, which is used for transmitting and receiving test data.

Finally, control system 6 of monitoring unit CU also has an initialization circuit 15, which receives an initialization signal RST from voltage supply 9 after control unit 1 is switched on and subsequently synchronizes monitoring unit CU with microcomputer MC in that the monitoring unit waits for the first data transmission of the MC. Initialization circuit 15 subsequently activates test data signal generator 10 and error counter 14.

In test data signal generator 10, the test data input signals for microcomputer MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller

codes, the bit string for the corresponding first test data output signal is formed in response generator 11, for every test data input signal. This code is used to maintain a distance that is as great as possible in the space of numbers of the test data output signals (hamming distance). In 5 comparator 12, the first test data output signal determined in response generator 11 is then compared to the actual second test data output signal of microcomputer MC.

10 The instant of the comparison is specified by trigger generator 13. This is intended to ensure that the time slices in microcomputer MC proceed correctly. Comparator 12 not only checks the second test data output signal of the MC for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window. 15 If the value and instant of the second test data output signal of the MC are correct, error counter 14 is decremented, and the safety-critical application to be controlled is kept in an active state via a signal interface 16 in that external 20 warning lights are switched off and the relays for triggering application 5 are activated.

In every cycle following this first cycle, the instant and value of the second test data output signal of the MC must be 25 correct to prevent error counter 14 from responding immediately. Error counter 14 has a plurality of response thresholds to prevent control unit 1 or application 5 from being switched off in the case of a singular disturbance and to enable microcomputer MC to check the disabling path. The 30 first step blocks the valve output stages via signal EN and switches off the voltage supply of the valves via valve relay VRA. The display of the warning lights SILA is delayed by one cycle, so that there is no display when testing the disabling

path.

5 If a test data input signal is responded to at the wrong instant or with an incorrect value, the same test data input signal is applied again to microcomputer MC until the instant and value are correct. If this does not occur within a predefined time period, monitoring unit CU switches off the control unit 1, and it can no longer be activated even by correct responses.

10

15

20

25

30

After control unit 1 is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected instants of a test program. The communication between microcomputer MC and monitoring unit CU for measuring the quiescent current is carried out via the two handshake lines START and END. While the quiescent current is being measured, microcomputer MC stops clock generator CLK. Between monitoring unit CU and microcomputer MC are two separate voltage supply lines, VDD\_digital for supplying the digital component of microcomputer MC and VDD\_analog for supplying the analog component of microcomputer MC. The quiescent current is measured in voltage supply line VDD\_digital.

35

40

45

50

55

60

65

70

75

80

85

90

95

The quiescent current measurement is enabled after the voltage supply is switched on via signal IDDQ\_EN of control system 6 of monitoring unit CU. The successful completion of the quiescent current measurement is signalized to control system 6 of monitoring unit CU by signal IDDQ\_FIN. Consequently, monitoring unit CU advances the test run in that initialization circuit 15 enables test data signal generator 10 via a signal IDDQ\_OK.

Figure 3 shows a circuit configuration for measuring the

quiescent current including a two-wire handshake. Figure 4 shows the timing diagram of measuring run control 7 for the quiescent current measurement from Figure 3. After control unit 1 is switched on, microcomputer MC starts its self-test. Part of this self-test is the quiescent current measurement. If the functional sequence in microcomputer MC reaches the quiescent current test, the START signal is activated. At instant T1, the quiescent current measurement is activated by signal\_Act. The output of comparator 12 for the quiescent current measurement is evaluated after time T2. If the value is acceptable, microcomputer MC is activated again by the END signal. If the value is outside of a limiting value, the measurement is repeated. The number of repetitions is preset.

If repeating the measurement also does not produce a correct response, the measurement is discontinued, and monitoring unit CU does not switch on microcomputer MC but remains in a fail-safe mode. When all quiescent current measurements are completed, signal IDDQ\_FIN is set to HIGH. Consequently, control system 6 of monitoring unit CU resets signal IDDQ\_EN from HIGH to LOW.

ABSTRACT OF THE DISCLOSURE

A control unit, for controlling safety-critical applications, includes a microcomputer, a monitoring unit (check unit), and peripheral circuits (input/output), and in which, to improve  
5 the reliability of the error detection for such control units, and to expand the detection to additional error types, the monitoring unit includes a first apparatus, arrangement or structure for measuring the quiescent current of the microcomputer; at least one quiescent current handshake line  
10 for controlling the measurement of the quiescent current running between the first apparatus, arrangement or structure of the monitoring unit and the microcomputer; the monitoring unit including a second apparatus, arrangement or structure for applying a test data input signal to the microcomputer, for processing the test data input signal, and for comparing the corresponding test data output signal of the microcomputer to the corresponding test data output signal of the monitoring unit; and at least one test data signal transmission line  
15 running between the second apparatus, arrangement or structure of the monitoring unit and the microcomputer.  
20

389046

**SUBSTITUTE SPECIFICATION**

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

[10191/1923]

### CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS

#### FIELD OF THE INVENTION

The present invention relates to a control unit for controlling safety-critical applications, having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO). Furthermore, the present invention relates to a method for checking a microcomputer (MC) of a control unit for controlling safety-critical applications, the control unit having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO).

[Background Information

#### ] BACKGROUND INFORMATION

In control units that control or regulate applications or functions that are critical with regard to safety, errors of the microcomputer (MC) or of a processor of the microcomputer [must] may be detected by monitoring. Such control units having safety tasks are used, for example, for anti-lock braking systems, for traction control systems, and/or for electronic stability programs. The safety-critical applications controlled by the control unit are connected to the control unit via the peripheral circuits. In the case of single-computer control units, methods having a self-test, plausibility check, and watchdog [are known] may be available.

25

For testing CMOS chips (integrated circuits, IC) at the manufacturer, methods and measuring devices for measuring the

EL244504550

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

quiescent current are used. The background of the so-called quiescent current test is that in a digital CMOS chip in purely static logic, it is believed that almost the entire power loss during the switching operations occurs in its 5 interior. In the rest state, the current flow is restricted to tiny leakage currents as well as to currents through pullup resistors or pulldown resistors at the inputs and through external loads at the output drivers. [Many]

10 It is believed that various production-dependent errors may lead to increased conductivity between the positive and negative supply voltage[. A], and that activating such defective regions (point defects) of the circuit causes the current consumption to increase abruptly. Such defects 15 [can]may be ascertained by a highly exact measurement of the current consumption during the test operation and a comparison to corresponding setpoint values. As already stated, such a quiescent current measurement [is]may be used in the manufacture of CMOS chips to sort out the defective chips 20 after the manufacturing process.

25 [It is known from the related art to also use t]The quiescent current test method[ known], which is believed to be available for use in the [manufacture]manufacturing of computer modules for the control units [of the species cited at the outset] (as referred to above), to test the computer modules during their normal operation [in order to be able to detect]for detecting what may be the most frequent defects in the computer modules, in particular in the microcomputer (MC), e.g. lock-up errors 30 (stuck-at), bridge errors (bridging), and/or interrupt errors (stuck-open).

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

[It is further known from the related art to provide] An available approach for increasing reliability in the case of control units (as referred to above) involves providing two MCs, which reciprocally test one another by parallel computing and/or plausibility checks[, to increase reliability in the case of control units of the species cited at the outset].  
5 However, cost considerations [result in the suggestion of] may suggest using only one MC for such control units.

[The object] SUMMARY OF THE INVENTION

An object of an exemplary method and/or exemplary embodiment of the present invention is to [develop and further refine] provide a control unit [of the species cited at the outset to the effect that] in which the reliability of the error detection is[ further] improved, and the detection is expanded to additional types of errors.

[To achieve this object, starting from a control unit of the species cited at the outset,] In an exemplary embodiment of the 20 present invention[ proposes that], the monitoring unit (CU) has a first [means]apparatus, arrangement or structure for measuring the quiescent current of the microcomputer (MC), [that] at least one handshake line for controlling the measurement of the quiescent current runs between the first 25 [means]apparatus, arrangement or structure of the CU and the MC, [that ]the CU has a second [means]apparatus, arrangement or structure for applying a test data input signal to the MC to process the test data input signal and compare the corresponding test data output signal of the MC to the 30 corresponding test data output signal of the CU, and [that ]at least one test data signal transmission line runs between the

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

second [means] apparatus, arrangement or structure of the CU and the MC.

5 In accordance with the exemplary embodiment and/or exemplary method of the present invention, [ it was recognized that] the reliability of the error detection can be increased by using two different test methods that supplement one another. In this manner, it is believed that a significantly greater number of different error types of the computer modules of the MC can be detected.

10 The control unit according to the exemplary embodiment of the present invention can also have a plurality of MCs and a plurality of CUs. However, the following assumes that the control unit has one MC and one CU. The CU of the control unit according to the exemplary embodiment of the present invention has a first [means] apparatus, arrangement or structure for measuring the quiescent current of the MC.

15 20 At least one handshake line for controlling the measurement of the quiescent current runs between the first [means] apparatus, arrangement or structure of the CU and the MC. The handshake line can, for example, be[ designed as] a bidirectional line.

25 After the control unit is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected commands within the framework of a test program. For example, 14 selected commands containing an internal machine cycle are processed for microcomputer TMS470.

30

To supplement the quiescent current measurement, the CU of the

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

control unit according to the exemplary embodiment of the present invention has a second [means] apparatus, arrangement or structure. At least one transmission line for test data signals runs between the second [means] apparatus, arrangement or structure of the CU and the MC.

The second [means apply]apparatus, arrangement or structure applies a test data signal to the MC. The MC calculates a test data output signal, which is dependent upon the test data input signal and the states inside the MC. Defective states result in a changed test data output signal of the MC.

In the second [means]apparatus, arrangement or structure of the CU, the test data input signal is also processed to form a test data output signal that is used as a reference signal for checking the test data output signal of the MC. When calculating the test data output signal, the CU assumes an error-free, functioning MC. The completed calculation [preferably]may ha[s]ve a [very] "very simple" design. [ ]

The microcomputer does not have a double design, and the same computation is not carried out by the CU as by the MC, as is the case for parallel computer systems. Rather, starting from the input data of a predefined test function, the MC calculates the output data whose results are checked by the CU using the reference signal calculated by it. The test function used for calculating the output data [typically has a very]may be "very simple[ design]" in its implementation. The calculation only requires minimal computing time. However, complex tests and results from the application programs can also be included in this test function.

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

Finally, the test data output signal of the CU is compared to the test data output signal of the MC. If they deviate from one another, or if the deviation exceeds a predetermined threshold value, the CU recognizes an error of the MC. The 5 test result can be displayed by a display device and/or it can be provided that upon occurrence of an error, [provision is made for] and the system may be controlled and/or regulated by the control unit to be switched off.

According to [an advantageous further refinement] another exemplary embodiment of the present invention, [it is proposed that ] the first [means] apparatus, arrangement or structure includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and that the connection between the first [means] apparatus, arrangement or structure, and the MC includes two handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through 20 {or across} the IDDQ measuring circuit. In semiconductors, IDD designates the positive supply current. IDDQ designates the quiescent current. The handshake lines are, for example, configured as START and END handshake lines for starting and acknowledging the completion of the functional test.

25 The communication between the MC and the CU for measuring the quiescent current is carried out via the two handshake lines. The quiescent current of the MC is measured by the CU via the separate voltage supply lines.

30 As stated, the exemplary embodiment of the present invention

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

relates to a control unit having a monitoring unit for  
checking the microcomputer of the control unit. A voltage  
supply unit is provided for supplying voltage to the control  
unit and, as such, also to the microcomputer. The control unit  
5 of the CU includes [means] an apparatus, arrangement or  
structure that can bring the MC into specific operating  
states. [ ]

Furthermore, [ present in] the IDDQ measuring circuit includes  
a [re] measuring [means] apparatus, arrangement or structure  
that ascertains the current or voltage in the voltage supply  
circuit of the MC, whereupon the determined current or the  
determined voltage [is] may be compared in a comparison  
[means] apparatus, arrangement or structure, also present in  
the IDDQ measuring circuit, to at least one predefined  
threshold value.

By [simply] measuring the current or voltage, a plurality of  
possible errors in the computer can be ascertained using the  
20 IDDQ measurement. In this context, it is believed that what  
may be the most frequent errors in the components of the MC  
can be substantially covered using a minimum of test steps.  
Such errors can be lock-up errors (stuck-at), bridge errors  
(bridging), and/or interrupt errors (stuck-open).

25 As a result of the combination of the quiescent current  
measurement and another suitable checking method, in  
particular including a check of the functionality of the MC  
based on test data records, it is believed that errors  
30 [are] may be widely covered with respect to the significant  
errors in computer modules, in particular in CMOS processors,

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

in a [manner]way that may be particularly advantageous for safety-critical applications.

5 The abovementioned elimination of the second processor is largely retained so as to provide an economic advantage of the control unit according to the exemplary embodiment of the present invention, since the quiescent current measurement according to the exemplary embodiment of the present invention may only require[s] a minimal hardware expenditure.

10 By specially controlling the MC, the IDDQ-MAS brings predetermined components of the MC into a low-current state. The background of this control [is] involves the fact that[ typically] components[ are] present in the MC [that]may require a relatively high current. Since, as stated at the outset, the quiescent current measurement [is generally]may be based on fluctuations in the quiescent current within relatively small bandwidths, the high current consumption of the MC components interfere with the IDDQ measurement. In 20 particular, [it is provided ]th[at]e components to which the IDDQ measurement does not apply are brought into a low-current state. Such components can be the MC output stage and/or an input stage (e.g. analog/digital converter), as well as circuits for internally multiplying the clock pulse. [ ]

25 In the simplest case, the components having high current consumption are switched off during the test. Thus, internal circuit elements and circuit outputs that carry high currents are switched off. Subsequently, the quiescent current can be 30 measured.

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

In addition to switching off the components of the MC having high current as mentioned above, [it can also be provided that ]the core of the MC [is to]may be brought into a state of low current consumption. In the case of such MC modules configured 5 specifically for the quiescent current measurement, a special operating state, a so-called IDDQ test mode, [is]may be provided. In this operating state, all currents inside of the computer are switched off, i.e., the current in the MC core is minimized. [ ]

The IDDQ design is such that standard errors in the MC core become noticeable as an increase in the quiescent current. Thus, for example, short-circuit errors and/or stuck-at errors (short circuit to ground or the supply voltage) are [immediately] "immediately" or quickly manifested in an increase in the quiescent current. In this context, it is not believed to be necessary to pass on (to propagate) the effect of such an error to the outputs of the MC. The increased current consumption is the immediate error indicator.

In addition to the IDDQ test mode described above, it can be provided that only the MC components having a high current are switched off, and, in response to a command, the MC enters a defined low-current state. In this context, the MC core does 25 not have to be specially configured for the IDDQ test mode. This is called the power-down mode.

The power-down mode is initiated by loading internal components of the computer, such as the register and memory, 30 with certain patterns, and by bringing the abovementioned computer components into a state of low current consumption,

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

e.g., by executing a certain computer command. If this state is achieved, a clock generator can be selectively switched off or disconnected. Subsequently, the quiescent current or a corresponding voltage value is measured and compared to a 5 threshold value corresponding to the above-set operating state (power-down state) of the MC core . If certain errors are present in the computer (stuck-at errors, bridging errors, stuck-open errors), the result [is typically] may be an increase in the quiescent current or in the voltage drop caused by the quiescent current.

50  
51  
52  
53  
54  
55  
56  
57  
58  
59  
60

After such a test step, additional test steps can follow in that the power-down mode is first exited by applying certain signal levels to specific connections of the MC. By again starting or switching on the clock generator, the internal computer components, such as the register and the memory, are loaded with additional patterns, and the abovementioned components are again brought into a low-current state, e.g., by executing a specific computer command (power-down command). 20 The above-described measurement of the quiescent current then follows. As a result of a plurality of such consecutively performed measurements of the power-down current, errors in the registers, memories, and components of the computer core [are] may be ascertained in an increasingly more complete 25 manner.

According to the exemplary computer [type ] and [design of the] exemplary circuit, the individual test steps are ended by re-enabling the clock generator, by triggering a reset, or by 30 triggering an external interrupt. After the last test step, the MC runs again in its normal operating mode (normal

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

operation).

In addition [of] to the above-described quiescent current measurement in the power-down mode, provision is also made in accordance with the exemplary embodiment of the present invention for the quiescent current to be measured in the indicated IDDQ test mode[, ] (provided the computer to be checked is suitably configured). The start of the IDDQ test mode is initiated by changing the signal level at a connection of the MC, for example. Also in this context, the register and memory are loaded with certain patterns prior to entering the IDDQ test mode. [ ]

Upon entering the IDDQ test mode, the computer components having high current consumption are switched off. Furthermore, by discontinuing or decoupling the time pulse while executing a command, the computer core can be kept in a state [typical] "typical" for this command. These commands are selected [in such a manner] so that they adjust the states of the internal circuit nodes of the computer core so that as many errors as possible or at least more errors can be detected via the quiescent current measurement.

The handshake for the quiescent current measurement is carried out or performed in a number of steps:

S1: The MC sets the START signal to HIGH. Consequently, the CU knows that an IDDQ measurement is beginning.

S2: The MC can selectively prepare to stop the time pulse (master clock, MCLK), in that it sets a signal PREP to LOW via an internal command.

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

5 S3: The MC decodes the precisely defined instant within the next suitable command for the IDDQ test and also sets a signal DEKOD to LOW. Now the MCLK is set equal to LOW, and the digital component of the MC is set to static operation for the IDDQ measurement.

S4: The CU performs the IDDQ measurement.

S5: The CU outputs the level sequence LOW-HIGH-LOW at the signal END, thereby reactivating the MCLK.

S6: The MC becomes active again and confirms the end of the measurement by setting the START signal to LOW. The MC continues the program and prepares the next IDDQ measurement or ends the IDDQ measurement when all measurements have been carried out.

20 Two voltage supply lines [preferably] may run between the voltage supply and the MC, one voltage supply line running through the IDDQ measuring circuit. The quiescent current of the MC is measured via the voltage supply line that runs through the IDDQ measuring circuit.

25 According to another [advantageous further refinement] exemplary embodiment of the control unit according to the present invention, [it is proposed that ]the first [means] apparatus, arrangement or structure includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and [that ]the connection between the first [means] apparatus, arrangement or structure and the MC includes four handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through the IDDQ measuring

21  
22  
23  
24  
25  
26  
27  
28  
29  
30

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

circuit. [ ]

In the case of four handshake lines, a time-pulse (CLK) line and a line for a power-down (PWRDN) control can be provided for the MC in addition to the lines START, END in the case of two handshake lines. In this [specific] exemplary embodiment of the control unit, a shared voltage supply line to the processor is sufficient, the quiescent current being measured in the voltage supply line. The clock generator is then stopped in the CU. The control of voltage supply circuits for analog circuits and IO circuits in the MC is carried out or performed via the PWRDN line from the CU. As such, only the quiescent current of the digital component of the MC flows in the measuring case through the shared voltage supply line.

Advantageously, the first [means have] apparatus, arrangement or structure includes an initialization circuit, which receives an initialization signal from the voltage supply after the control unit is switched on and subsequently transmits an enable signal to the IDDQ-MAS to enable the IDDQ measurement. The successful completion of the IDDQ measurement is signal[iz]ed by an additional signal to the control system of the CU. Consequently, the CU advances the test run in that the initialization circuit enables the test data signal generator via an additional signal.

According to [an advantageous specific] another exemplary embodiment of the present invention, the second [means] apparatus, arrangement or structure includes a test data signal generator for applying a test data input signal to the MC, a response generator for processing the test data

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

input signal and for forming a corresponding test data output signal, a test data register for transmitting and receiving test data, and a comparator for comparing the test data output signal of the MC to the test data output signal of the CU[; 5 and t]. The connection between the second [means]apparatus, arrangement or structure and the MC includes at least one test data transmission line, which runs between the test data register and the MC. Advantageously, two test data transmission lines may run between the test data register and the MC.

The test data signal generator is also activated by the initialization circuit after the control unit is enabled. In the test data signal generator, the test data for the MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller codes, the bit string for the test data output signal (the so-called reference signal) is formed in the response generator, for every test data input signal. This code is used to maintain a 20 distance that is as great as possible in the space of numbers of the test data output signals (hamming distance). In the comparator, the theoretically calculated test data output signal from the response generator of the CU is then compared to the actual test data output signal of the MC from the test 25 data register.

The second [means preferably have]apparatus, arrangement or structure may also include a trigger generator, which determines the instant at which the test data output signal of the MC is available at the comparator, in the case of an 30 error-free MC. The trigger generator stipulates the instant of

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

the comparison of the determined test data output signal of the MC and the actual response of the CU. As a result, it is at least better ensured that the time slices in the MC proceed correctly. The comparator not only checks the test data output signal for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window.

Advantageously, the second [means have a]apparatus, arrangement or structure includes an error counter, which counts up or down, [in the event that]if the test data output signal of the MC is not consistent with the test data output signal of the CU, and/or [in the event that]if the test data output signal of the MC is available at the comparator at an instant that differs from the one determined by the trigger generator. By a counting pulse, the comparator causes the error counter to count up or down. If the value and instant of the test data output signal are correct, the error counter is decremented, for example. If the error counter falls below a predefined value, an external warning light, for example, is switched on or off via a signal interface, and a relay for manipulating the safety-critical application is enabled.

The manipulation of the application to be controlled [is typically]may be limited to discontinuing the application. In the case of special applications, it can, however, be useful for the error counter to have a plurality of response thresholds, exceeding the response threshold resulting in a different reaction in each case. As a result, the application can be prevented from being immediately interrupted in the case of a singular disturbance, and the disabling path can be

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

checked by the computer.

If the MC responds to a test data input signal at the wrong instant or with an incorrect value, the same test data input signal is applied to the MC again until the instant and value of the test data output signal are correct. If this does not occur with a predefined time period, the CU switches off the control unit or the application, and it cannot be re-activated even by correct responses.

The second [means preferably have] apparatus, arrangement or structure may include an initialization circuit, which receives an initialization signal from the voltage source after the control unit is enabled, subsequently synchronizes the CU with the MC, and then activates the test data signal generator and the error counter. The CU is synchronized with the MC in that the CU waits for the first data transmission of the MC.

An additional object of the exemplary embodiment of the present invention is to [develop and further refine] provide a method for checking a microcomputer [of the species cited at the outset to the effect] so that the reliability of the error detection [are further] may be improved, and the detection [is] may be expanded to additional types of errors.

To achieve this object, [starting from] in the exemplary method of [the species cited at the outset,] the present invention [proposes that], the CU of the control unit measures the quiescent current of the MC and applies a test data input signal to the MC, determines a first test data output signal,

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

and compares a second test data output signal of the MC to the first test data output signal of the CU.

Advantageously, the quiescent current measurement is in the form of an IDDQ measurement. [Preferably, t]The IDDQ measurement [is]may be carried out or performed after the control unit is switched on after being enabled by an enable signal.

According to [an advantageous further refinement of the]another exemplary method according to the present invention, the second test data output signal of the MC is compared to the first test data output signal of the CU while the control unit is in operation. This may ha[s]ve the advantage that the control unit does not have to be switched off to test the functionality of the microcomputer. Rather, MC computing power not used for controlling the application can be used to check the MC while the control unit is in operation.

[Preferably, a]A false test data output signal [is]may be transmitted one time at regular intervals to the CU while the control unit is in operation to check the functionality of the disabling path.

[An additional advantageous]Another exemplary embodiment of the present invention [start from]involves the [assumption]fact that a clock generator is stopped by the MC during the IDDQ measurement and/or while the second test data output signal of the MC is being compared to the first test data output signal of the CU. The clock generator is provided

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

in the control system of the CU. The internal computer operations in particular are controlled as a function of the output signal of this clock generator. In the described IDDQ test mode, it is provided that this clock generator is  
5 switched off or disabled or disconnected from the MC. This can also be carried out or performed in the power-down mode when a particularly low quiescent current is to be achieved. The clock generator is switched off or disabled or disconnected especially at the start of every quiescent current measurement.

[Preferably, t] The test data input signal of the CU [is] may be generated by a test data signal generator, via a feedback shift register. [Preferably, t] The test data output signal of the CU [is] may be generated by a response generator, with the aid of the Reed-Muller code.

The exemplary control unit according to the present invention can be checked by two different test runs. A so-called  
20 start-up test is carried out immediately following the switching on of the control unit and prior to the operation of the control unit for controlling or regulating the safety-critical application. After the start-up test, a so-called online test is carried out or performed from time to time while the control unit is in operation.  
25

The start-up test is subdivided into two test segments, the so-called processor initialization segment (Proz-Init) and the subsequent so-called operating system initialization segment  
30 (BS-Init). The processor initialization segment includes a command test and a core test, a RAM/ROM test, and an IDDQ

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

test. The operating system initialization segment includes a start-up control and a test of the CU. In the start-up control, different input values are tested on the control unit (e.g. a certain speed pattern of the wheels of a vehicle, as can typically occur at the input of an ABS control unit of the vehicle). The control unit carries out a regulation or control of the application based on the input values. The result of the simulated regulation or control is compared to corresponding setpoint values. When testing the CU, a defective MC is simulated, and the reaction of the CU to the defect is checked.

The online test has a command test and a core test, a RAM/ROM test, a test of the CU, and a replication test. In the replication test, double memory spaces are provided for certain safety-critical variables, and certain safety-critical calculations are carried out twice. The contents of the double memory spaces and the results of the double calculations are compared to one another. The redundant storing and the redundant calculation are carried out by a processor of the control unit.

Furthermore, the online test has a plausibility check in which control signals or regulation signals determined by the MC are checked for plausibility. In the case of an ABS control unit, one can, for example, check whether the speed, the acceleration, or the deceleration are within certain limits. Moreover, the values of the individual wheels of the vehicle must be in a certain relation to one another, which can also be checked. Finally, the online test has another operating system test and a test of the remaining monitoring units of

20  
25  
30  
35  
40  
45  
50  
55  
60  
65  
70  
75  
80  
85  
90  
95

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

the control unit.

[A preferred exemplary embodiment of the present invention is explained in more detail in the light of the following drawings. The figures show:

### **Figure 1 ]BRIEF DESCRIPTION OF THE DRAWINGS**

Figure 1 shows a schematic [ overview of a ] block diagram of [a] an exemplary control unit according to the present invention[;].

Figure 2[ ] shows a more detailed [overview] view of a block diagram of the control unit from Fig. 1[;].

Figure 3[ ] shows [a] an exemplary circuit configuration for a quiescent current measurement including a two-wire handshake[;].

Figure 4[ ] shows a timing diagram of the measuring run control for the quiescent current from Figure 3.

### **DETAILED DESCRIPTION**

Figure 1 shows a schematic [ overview of a ] block diagram of [a] an exemplary control unit according to the present invention. Reference numeral 1 designates the exemplary control unit according to the present invention in its entirety. Control unit 1 is used to control safety-critical applications, e.g. for anti-lock (braking) systems, for traction control systems, and/or for electronic stability programs. [ ]

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

Control unit 1 has a microcomputer MC, a monitoring unit (CU, check unit), and peripheral circuits (IO, input/output).

Microcomputer MC, monitoring unit CU, and peripheral circuits IC are connected in series via a serial synchronous databus 2.

5 Via its data output line MC\_Dout, microcomputer MC transmits the data output signals through databus 2 to the bus users and simultaneously receives the data input signals via its data input line MC\_Din. Using the signal SAM (sample), the bus users store the data received in their storage registers.

There are additional connecting lines between microcomputer MC and monitoring unit CU, namely a shared supply line VDD or alternatively, a plurality of supply lines VDD for a digital and analog supply of microcomputer MC. Finally, IDDQ handshake line IDDQ-HDSHK, which are used for controlling the quiescent current measurement (IDDQ measurement) of microcomputer MC, run between microcomputer MC and monitoring unit CU. So-called disabling paths 3 lead from monitoring unit CU to external warning lamps and/or relays to manipulate the safety-critical applications to be controlled, depending on whether monitoring unit CU detects an error of microcomputer MC. Peripheral circuits IO have connecting lines 4 to safety-critical application 5 to be controlled.

20 25 After control unit 1 is switched on, the quiescent current is measured to check the functionality of microcomputer MC. While control unit 1 is in operation, the functionality of microcomputer MC is checked in that it regularly receives test data records, and the corresponding second test data output signal of the MC is compared to an error-free first test data output signal calculated by monitoring unit CU.

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

Figure 2 shows a detailed overview of a block diagram of the control unit 1 from Figure 1. Monitoring unit CU includes a control system 6 of monitoring unit CU, a measuring run control 7 for the IDDQ measurement, an IDDQ measuring circuit 8, and a voltage supply 9. Control system 6 of monitoring unit CU includes a test data signal generator 10, a response generator 11, and a comparator 12. With the aid of test data signal generator 10, a test data input signal is applied to microcomputer MC, and the microcomputer determines a second test data output signal as a function of the test data input signal and its own internal states. [ ]

Response generator 11 processes the same test data input signal and forms a corresponding first test data output signal. In comparator 12, the first test data output signal of monitoring unit CU is compared to the second test data output signal of microcomputer MC. A trigger generator 13 determines the instant at which the second test data output signal of microcomputer MC is available at comparator 12, given an error-free, functioning microcomputer MC.

Control system 6 of monitoring unit CU further has a error counter 14, which counts an error, [in the event that] if the second test data output signal of microcomputer MC is not consistent with the first test data output signal of monitoring unit CU, and/or [in the event that] if the second test data output signal of microcomputer MC is available at comparator 12 at a different instant than the one determined by trigger generator 13.

Furthermore, control system 6 of monitoring unit CU has a test

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

data register 17, which is used for transmitting and receiving test data.

Finally, control system 6 of monitoring unit CU also has an initialization circuit 15, which receives an initialization signal RST from voltage supply 9 after control unit 1 is switched on and subsequently synchronizes monitoring unit CU with microcomputer MC in that the monitoring unit waits for the first data transmission of the MC. Initialization circuit 15 subsequently activates test data signal generator 10 and error counter 14.

In test data signal generator 10, the test data input signals for microcomputer MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller codes, the bit string for the corresponding first test data output signal is formed in response generator 11, for every test data input signal. This code is used to maintain a distance that is as great as possible in the space of numbers of the test data output signals (hamming distance). In comparator 12, the first test data output signal determined in response generator 11 is then compared to the actual second test data output signal of microcomputer MC.

The instant of the comparison is specified by trigger generator 13. This is intended to ensure[s] that the time slices in microcomputer MC proceed correctly. Comparator 12 not only checks the second test data output signal of the MC for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window. If the value and instant of the second test

## MARKED UP VERSION OF SUBSTITUTE SPECIFICATION

data output signal of the MC are correct, error counter 14 is decremented, and the safety-critical application to be controlled is kept in an active state via a signal interface 16 in that external warning lights are switched off and the 5 relays for triggering application 5 are activated.

In every cycle following this first cycle, the instant and value of the second test data output signal of the MC must be correct to prevent error counter 14 from responding immediately. Error counter 14 has a plurality of response thresholds to prevent control unit 1 or application 5 from being switched off in the case of a singular disturbance and to enable microcomputer MC to check the disabling path. The first step blocks the valve output stages via signal EN and switches off the voltage supply of the valves via valve relay VRA. The display of the warning lights SILA is delayed by one cycle, so that there is no display when testing the disabling path.

20 If a test data input signal is responded to at the wrong instant or with an incorrect value, the same test data input signal is applied again to microcomputer MC until the instant and value are correct. If this does not occur within a predefined time period, monitoring unit CU switches off the 25 control unit 1, and it can no longer be activated even by correct responses.

After control unit 1 is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected 30 instants of a test program. The communication between microcomputer MC and monitoring unit CU for measuring the

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

quiescent current is carried out via the two handshake lines START and END. While the quiescent current is being measured, microcomputer MC stops clock generator CLK. Between monitoring unit CU and microcomputer MC are two separate voltage supply lines, VDD\_digital for supplying the digital component of microcomputer MC and VDD\_analog for supplying the analog component of microcomputer MC. The quiescent current is measured in voltage supply line VDD\_digital.

The quiescent current measurement is enabled after the voltage supply is switched on via signal IDDQ\_EN of control system 6 of monitoring unit CU. The successful completion of the quiescent current measurement is signalized to control system 6 of monitoring unit CU by signal IDDQ\_FIN. Consequently, monitoring unit CU advances the test run in that initialization circuit 15 enables test data signal generator 10 via a signal IDDQ\_OK.

Figure 3 shows a circuit configuration for measuring the quiescent current including a two-wire handshake. Figure 4 shows the timing diagram of measuring run control 7 for the quiescent current measurement from Figure 3. After control unit 1 is switched on, microcomputer MC starts its self-test. Part of this self-test is the quiescent current measurement. If the functional sequence in microcomputer MC reaches the quiescent current test, the START signal is activated. At instant T1, the quiescent current measurement is activated by signal\_Act. The output of comparator 12 for the quiescent current measurement is evaluated after time T2. If the value is acceptable, microcomputer MC is activated again by the END signal. If the value is outside of a limiting value, the

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

measurement is repeated. The number of repetitions is preset. [  
]

If repeating the measurement also does not produce a correct  
5 response, the measurement is discontinued, and monitoring unit  
CU does not switch on microcomputer MC but remains in a  
fail-safe mode. When all quiescent current measurements are  
completed, signal `IDDQ_FIN` is set to HIGH. Consequently,  
control system 6 of monitoring unit CU resets signal `IDDQ_EN`  
from HIGH to LOW.

5  
40  
39  
38  
37  
36  
35  
34  
33  
32  
31  
30  
29  
28  
27  
26  
25  
24  
23  
22  
21  
20  
19  
18  
17  
16  
15  
14  
13  
12  
11  
10  
9  
8  
7  
6  
5  
4  
3  
2  
1  
0

## **MARKED UP VERSION OF SUBSTITUTE SPECIFICATION**

### **ABSTRACT OF THE DISCLOSURE**

[Abstract

The present invention relates to a]A control unit[ (1)], for  
5 controlling safety-critical applications[ (5)],  
[having] includes a microcomputer[ (MC)], a monitoring unit  
([CU, ]check unit), and peripheral circuits ([IO,  
]input/output)[. T], and in which, to[ further] improve the  
reliability of the error detection for such control units, and  
to expand the detection to additional error types, [a control  
unit (1) of the indicated type is proposed in accordance with  
the present invention, ]the monitoring unit [(CU)  
having] includes a first [means]apparatus, arrangement or  
structure for measuring the quiescent current of the  
microcomputer[ (MC)]; at least one quiescent current handshake  
line[ (IDQ-HDSHK)] for controlling the measurement of the  
quiescent current running between the first [means of the CU  
and the MC; the CU having second means]apparatus, arrangement  
or structure of the monitoring unit and the microcomputer; the  
monitoring unit including a second apparatus, arrangement or  
structure for applying a test data input signal to the  
20 [MC]microcomputer, for processing the test data input signal,  
and for comparing the corresponding test data output signal of  
the [MC]microcomputer to the corresponding test data output  
signal of the [CU]monitoring unit; and at least one test data  
signal transmission line running between the second [means of  
the CU and the MC.]apparatus, arrangement or structure of the  
monitoring unit and the microcomputer.  
25

[(Figure 2)]

3/PR15

09/889730  
JC18 Rec'd PCT/PTO 19 JUL 2001

[10191/1923]

CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS

The present invention relates to a control unit for controlling safety-critical applications, having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO). Furthermore, the  
5 present invention relates to a method for checking a microcomputer (MC) of a control unit for controlling safety-critical applications, the control unit having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO).

Background Information

In control units that control or regulate applications or functions that are critical with regard to safety, errors of the microcomputer (MC) or of a processor of the microcomputer must be detected by monitoring. Such control units having safety tasks are used, for example, for anti-lock braking systems, for traction control systems, and/or for electronic stability programs. The safety-critical applications

20 controlled by the control unit are connected to the control unit via the peripheral circuits. In the case of single-computer control units, methods having a self-test, plausibility check, and watchdog are known.

25 For testing CMOS chips (integrated circuits, IC) at the manufacturer, methods and measuring devices for measuring the quiescent current are used. The background of the so-called quiescent current test is that in a digital CMOS chip in

purely static logic, almost the entire power loss during the switching operations occurs in its interior. In the rest state, the current flow is restricted to tiny leakage currents as well as to currents through pullup resistors or pulldown resistors at the inputs and through external loads at the output drivers. Many production-dependent errors lead to increased conductivity between the positive and negative supply voltage. Activating such defective regions (point defects) of the circuit causes the current consumption to increase abruptly. Such defects can be ascertained by a highly exact measurement of the current consumption during the test operation and a comparison to corresponding setpoint values. As already stated, such a quiescent current measurement is used in the manufacture of CMOS chips to sort out the defective chips after the manufacturing process.

It is known from the related art to also use the quiescent current test method known in the manufacture of computer modules for control units of the species cited at the outset to test the computer modules during their normal operation in order to be able to detect the most frequent defects in the computer modules, in particular in the microcomputer (MC), e.g. lock-up errors (stuck-at), bridge errors (bridging), and/or interrupt errors (stuck-open).

It is further known from the related art to provide two MCs, which reciprocally test one another by parallel computing and/or plausibility checks, to increase reliability in the case of control units of the species cited at the outset. However, cost considerations result in the suggestion of using only one MC for such control units.

The object of the present invention is to develop and further

refine a control unit of the species cited at the outset to the effect that the reliability of the error detection is further improved, and the detection is expanded to additional types of errors.

5

To achieve this object, starting from a control unit of the species cited at the outset, the present invention proposes that the monitoring unit (CU) has first means for measuring the quiescent current of the microcomputer (MC), that at least one handshake line for controlling the measurement of the quiescent current runs between the first means of the CU and the MC, that the CU has second means for applying a test data input signal to the MC to process the test data input signal and compare the corresponding test data output signal of the MC to the corresponding test data output signal of the CU, and that at least one test data signal transmission line runs between the second means of the CU and the MC.

10

0

15

5

20

15

5

25

0

20

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

5

25

0

15

the quiescent current runs between the first means of the CU and the MC. The handshake line can, for example, be designed as a bidirectional line.

5 After the control unit is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected commands within the framework of a test program. For example, 14 selected commands containing an internal machine cycle are processed for microcomputer TMS470.

10 To supplement the quiescent current measurement, the CU of the control unit according to the present invention has a second means. At least one transmission line for test data signals runs between the second means of the CU and the MC.

15 The second means apply a test data signal to the MC. The MC calculates a test data output signal, which is dependent upon the test data input signal and the states inside the MC.

20 Defective states result in a changed test data output signal of the MC.

25 In the second means of the CU, the test data input signal is also processed to form a test data output signal that is used as a reference signal for checking the test data output signal of the MC. When calculating the test data output signal, the CU assumes an error-free, functioning MC. The completed calculation preferably has a very simple design. The microcomputer does not have a double design, and the same computation is not carried out by the CU as by the MC, as is the case for parallel computer systems. Rather, starting from 30 the input data of a predefined test function, the MC calculates the output data whose results are checked by the CU using the reference signal calculated by it. The test function

used for calculating the output data typically has a very simple design. The calculation only requires minimal computing time. However, complex tests and results from the application programs can also be included in this test function.

5

Finally, the test data output signal of the CU is compared to the test data output signal of the MC. If they deviate from one another, or if the deviation exceeds a predetermined threshold value, the CU recognizes an error of the MC. The test result can be displayed by a display device and/or it can be provided that upon occurrence of an error, provision is made for the system controlled and/or regulated by the control unit to be switched off.

10  
15  
According to an advantageous further refinement of the present invention, it is proposed that the first means include an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and that the connection between the first means and the MC includes two handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through {or across} the IDDQ measuring circuit. In semiconductors, IDD designates the positive supply current.

20  
25  
20  
IDDQ designates the quiescent current. The handshake lines are, for example, configured as START and END handshake lines for starting and acknowledging the completion of the functional test.

30  
The communication between the MC and the CU for measuring the quiescent current is carried out via the two handshake lines. The quiescent current of the MC is measured by the CU via the separate voltage supply lines.

As stated, the present invention relates to a control unit having a monitoring unit for checking the microcomputer of the control unit. A voltage supply unit is provided for supplying voltage to the control unit and, as such, also to the 5 microcomputer. The control unit of the CU includes means that can bring the MC into specific operating states. Furthermore, present in the IDDQ measuring circuit are measuring means that ascertain the current or voltage in the voltage supply circuit of the MC, whereupon the determined current or the determined 10 voltage is compared in comparison means, also present in the IDDQ measuring circuit, to at least one predefined threshold value.

15 By simply measuring the current or voltage, a plurality of possible errors in the computer can be ascertained using the IDDQ measurement. In this context, the most frequent errors in the components of the MC can be substantially covered using a minimum of test steps. Such errors can be lock-up errors (stuck-at), bridge errors (bridging), and/or interrupt errors 20 (stuck-open).

As a result of the combination of the quiescent current measurement and another suitable checking method, in particular including a check of the functionality of the MC 25 based on test data records, errors are widely covered with respect to the significant errors in computer modules, in particular in CMOS processors, in a manner particularly advantageous for safety-critical applications.

30 The abovementioned elimination of the second processor is largely retained as an economic advantage of the control unit according to the present invention, since the quiescent current measurement according to the present invention only

requires a minimal hardware expenditure.

By specially controlling the MC, the IDDQ-MAS brings predetermined components of the MC into a low-current state.

5 The background of this control is that typically components are present in the MC that require a relatively high current. Since, as stated at the outset, the quiescent current measurement is generally based on fluctuations in the quiescent current within relatively small bandwidths, the high current consumption of the MC components interfere with the IDDQ measurement. In particular, it is provided that components to which the IDDQ measurement does not apply are brought into a low-current state. Such components can be the MC output stage and/or an input stage (e.g. analog/digital converter) as well as circuits for internally multiplying the clock pulse. In the simplest case, the components having high current consumption are switched off during the test. Thus, internal circuit elements and circuit outputs that carry high currents are switched off. Subsequently, the quiescent current can be measured.

In addition to switching off the components of the MC having high current as mentioned above, it can also be provided that the core of the MC is to be brought into a state of low current consumption. In the case of such MC modules configured specifically for the quiescent current measurement, a special operating state, a so-called IDDQ test mode, is provided. In this operating state, all currents inside of the computer are switched off, i.e., the current in the MC core is minimized.

25 The IDDQ design is such that standard errors in the MC core become noticeable as an increase in the quiescent current. Thus, for example, short-circuit errors and/or stuck-at errors (short circuit to ground or the supply voltage) are

immediately manifested in an increase in the quiescent current. In this context, it is not necessary to pass on (to propagate) the effect of such an error to the outputs of the MC. The increased current consumption is the immediate error indicator.

In addition to the IDDQ test mode described above, it can be provided that only the MC components having a high current are switched off, and, in response to a command, the MC enters a defined low-current state. In this context, the MC core does not have to be specially configured for the IDDQ test mode. This is called the power-down mode.

The power-down mode is initiated by loading internal components of the computer, such as the register and memory, with certain patterns, and by bringing the abovementioned computer components into a state of low current consumption, e.g. by executing a certain computer command. If this state is achieved, a clock generator can be selectively switched off or disconnected. Subsequently, the quiescent current or a corresponding voltage value is measured and compared to a threshold value corresponding to the above-set operating state (power-down state) of the MC core. If certain errors are present in the computer (stuck-at errors, bridging errors, stuck-open errors), the result is typically an increase in the quiescent current or in the voltage drop caused by the quiescent current.

After such a test step, additional test steps can follow in that the power-down mode is first exited by applying certain signal levels to specific connections of the MC. By again starting or switching on the clock generator, the internal computer components, such as the register and the memory, are

loaded with additional patterns, and the abovementioned components are again brought into a low-current state, e.g. by executing a specific computer command (power-down command). The above-described measurement of the quiescent current then follows. As a result of a plurality of such consecutively performed measurements of the power-down current, errors in the registers, memories, and components of the computer core are ascertained in an increasingly more complete manner.

According to the computer type and design of the circuit, the individual test steps are ended by re-enabling the clock generator, by triggering a reset, or by triggering an external interrupt. After the last test step, the MC runs again in its normal operating mode (normal operation).

In addition of the above-described quiescent current measurement in the power-down mode, provision is also made in accordance with the present invention for the quiescent current to be measured in the indicated IDDQ test mode, provided the computer to be checked is suitably configured. The start of the IDDQ test mode is initiated by changing the signal level at a connection of the MC, for example. Also in this context, the register and memory are loaded with certain patterns prior to entering the IDDQ test mode. Upon entering the IDDQ test mode, the computer components having high current consumption are switched off. Furthermore, by discontinuing or decoupling the time pulse while executing a command, the computer core can be kept in a state typical for this command. These commands are selected in such a manner that they adjust the states of the internal circuit nodes of the computer core so that as many errors as possible can be detected via the quiescent current measurement.

The handshake for the quiescent current measurement is carried out in a number of steps:

- S1: The MC sets the START signal to HIGH. Consequently, the CU knows that an IDDQ measurement is beginning.
- 5 S2: The MC can selectively prepare to stop the time pulse (master clock, MCLK), in that it sets a signal PREP to LOW via an internal command.
- S3: The MC decodes the precisely defined instant within the next suitable command for the IDDQ test and also sets a signal DEKOD to LOW. Now the MCLK is set equal to LOW, and the digital component of the MC is set to static operation for the IDDQ measurement.
- 10 S4: The CU performs the IDDQ measurement.
- S5: The CU outputs the level sequence LOW-HIGH-LOW at the signal END, thereby reactivating the MCLK.
- S6: The MC becomes active again and confirms the end of the measurement by setting the START signal to LOW. The MC continues the program and prepares the next IDDQ measurement or ends the IDDQ measurement when all measurements have been carried out.

Two voltage supply lines preferably run between the voltage supply and the MC, one voltage supply line running through the 25 IDDQ measuring circuit. The quiescent current of the MC is measured via the voltage supply line that runs through the IDDQ measuring circuit.

According to another advantageous further refinement of the 30 control unit according to the present invention, it is proposed that the first means include an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and that the connection

between the first means and the MC includes four handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through the IDDQ measuring circuit. In the case of four handshake lines, a time-pulse (CLK) line and a line for a power-down (PWRDN) control can be provided for the MC in addition to the lines START, END in the case of two handshake lines. In this specific embodiment of the control unit, a shared voltage supply line to the processor is sufficient, the quiescent current being measured in the voltage supply line. The clock generator is then stopped in the CU. The control of voltage supply circuits for analog circuits and IO circuits in the MC is carried out via the PWRDN line from the CU. As such, only the quiescent current of the digital component of the MC flows in the measuring case through the shared voltage supply line.

Advantageously, the first means have an initialization circuit, which receives an initialization signal from the voltage supply after the control unit is switched on and subsequently transmits an enable signal to the IDDQ-MAS to enable the IDDQ measurement. The successful completion of the IDDQ measurement is signalized by an additional signal to the control system of the CU. Consequently, the CU advances the test run in that the initialization circuit enables the test data signal generator via an additional signal.

According to an advantageous specific embodiment of the present invention, the second means include a test data signal generator for applying a test data input signal to the MC, a response generator for processing the test data input signal and for forming a corresponding test data output signal, a test data register for transmitting and receiving test data,

and a comparator for comparing the test data output signal of the MC to the test data output signal of the CU; and the connection between the second means and the MC includes at least one test data transmission line, which runs between the 5 test data register and the MC. Advantageously, two test data transmission lines run between the test data register and the MC.

The test data signal generator is also activated by the 10 initialization circuit after the control unit is enabled. In the test data signal generator, the test data for the MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller codes, the bit string for the test data output signal (the so-called reference signal) is formed in the response generator, for 15 every test data input signal. This code is used to maintain a distance that is as great as possible in the space of numbers of the test data output signals (hamming distance). In the comparator, the theoretically calculated test data output signal from the response generator of the CU is then compared 20 to the actual test data output signal of the MC from the test data register.

The second means preferably have a trigger generator, which 25 determines the instant at which the test data output signal of the MC is available at the comparator, in the case of an error-free MC. The trigger generator stipulates the instant of the comparison of the determined test data output signal of the MC and the actual response of the CU. As a result, it is 30 ensure that the time slices in the MC proceed correctly. The comparator not only checks the test data output signal for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window.

Advantageously, the second means have a error counter, which counts up or down, in the event that the test data output signal of the MC is not consistent with the test data output signal of the CU, and/or in the event that the test data output signal of the MC is available at the comparator at an instant that differs from the one determined by the trigger generator. By a counting pulse, the comparator causes the error counter to count up or down. If the value and instant of the test data output signal are correct, the error counter is decremented, for example. If the error counter falls below a predefined value, an external warning light, for example, is switched on or off via a signal interface, and a relay for manipulating the safety-critical application is enabled.

The manipulation of the application to be controlled is typically limited to discontinuing the application. In the case of special applications, it can, however, be useful for the error counter to have a plurality of response thresholds, exceeding the response threshold resulting in a different reaction in each case. As a result, the application can be prevented from being immediately interrupted in the case of a singular disturbance, and the disabling path can be checked by the computer.

If the MC responds to a test data input signal at the wrong instant or with an incorrect value, the same test data input signal is applied to the MC again until the instant and value of the test data output signal are correct. If this does not occur with a predefined time period, the CU switches off the control unit or the application, and it cannot be re-activated even by correct responses.

The second means preferably have an initialization circuit,

which receives an initialization signal from the voltage source after the control unit is enabled, subsequently synchronizes the CU with the MC, and then activates the test data signal generator and the error counter. The CU is synchronized with the MC in that the CU waits for the first data transmission of the MC.

An additional object of the present invention is to develop and further refine a method for checking a microcomputer of the species cited at the outset to the effect that the reliability of the error detection are further improved, and the detection is expanded to additional types of errors.

To achieve this object, starting from the method of the species cited at the outset, the present invention proposes that the CU of the control unit measures the quiescent current of the MC and applies a test data input signal to the MC, determines a first test data output signal, and compares a second test data output signal of the MC to the first test data output signal of the CU.

Advantageously, the quiescent current measurement is in the form of an IDDQ measurement. Preferably, the IDDQ measurement is carried out after the control unit is switched on after being enabled by an enable signal.

According to an advantageous further refinement of the method according to the present invention, the second test data output signal of the MC is compared to the first test data output signal of the CU while the control unit is in operation. This has the advantage that the control unit does not have to be switched off to test the functionality of the microcomputer. Rather, MC computing power not used for

controlling the application can be used to check the MC while the control unit is in operation.

5 Preferably, a false test data output signal is transmitted one time at regular intervals to the CU while the control unit is in operation to check the functionality of the disabling path.

10 An additional advantageous embodiment of the present invention starts from the assumption that a clock generator is stopped by the MC during the IDDQ measurement and/or while the second test data output signal of the MC is being compared to the first test data output signal of the CU. The clock generator is provided in the control system of the CU. The internal computer operations in particular are controlled as a function of the output signal of this clock generator. In the described IDDQ test mode, it is provided that this clock generator is switched off or disabled or disconnected from the MC. This can also be carried out in the power-down mode when a particularly low quiescent current is to be achieved. The clock generator is switched off or disabled or disconnected especially at the 20 start of every quiescent current measurement.

25 Preferably, the test data input signal of the CU is generated by a test data signal generator, via a feedback shift register. Preferably, the test data output signal of the CU is generated by a response generator, with the aid of the Reed-Muller code.

30 The control unit according to the present invention can be checked by two different test runs. A so-called start-up test is carried out immediately following the switching on of the control unit and prior to the operation of the control unit for controlling or regulating the safety-critical application.

After the start-up test, a so-called online test is carried out from time to time while the control unit is in operation.

The start-up test is subdivided into two test segments, the 5 so-called processor initialization segment (Proz-Init) and the subsequent so-called operating system initialization segment (BS-Init). The processor initialization segment includes a command test and a core test, a RAM/ROM test, and an IDQ test. The operating system initialization segment includes a 10 start-up control and a test of the CU. In the start-up control, different input values are tested on the control unit (e.g. a certain speed pattern of the wheels of a vehicle, as 15 can typically occur at the input of an ABS control unit of the vehicle). The control unit carries out a regulation or control 20 of the application based on the input values. The result of the simulated regulation or control is compared to corresponding setpoint values. When testing the CU, a defective MC is simulated, and the reaction of the CU to the 25 defect is checked.

20 The online test has a command test and a core test, a RAM/ROM test, a test of the CU, and a replication test. In the replication test, double memory spaces are provided for certain safety-critical variables, and certain safety-critical 25 calculations are carried out twice. The contents of the double memory spaces and the results of the double calculations are compared to one another. The redundant storing and the redundant calculation are carried out by a processor of the control unit. Furthermore, the online test has a plausibility 30 check in which control signals or regulation signals determined by the MC are checked for plausibility. In the case of an ABS control unit, one can, for example, check whether the speed, the acceleration, or the deceleration are within

certain limits. Moreover, the values of the individual wheels of the vehicle must be in a certain relation to one another, which can also be checked. Finally, the online test has another operating system test and a test of the remaining monitoring units of the control unit.

A preferred exemplary embodiment of the present invention is explained in more detail in the light of the following drawings. The figures show:

Figure 1 shows a schematic overview of a block diagram of a control unit according to the present invention; Figure 2 shows a detailed overview of a block diagram of the control unit from Fig.1; Figure 3 shows a circuit configuration for a quiescent current measurement including a two-wire handshake; Figure 4 shows a timing diagram of the measuring run control for the quiescent current from Figure 3.

Figure 1 shows a schematic overview of a block diagram of a control unit according to the present invention. Reference numeral 1 designates the control unit according to the present invention in its entirety. Control unit 1 is used to control safety-critical applications, e.g. for anti-lock (braking) systems, for traction control systems, and/or for electronic stability programs. Control unit 1 has a microcomputer MC, a monitoring unit (CU, check unit), and peripheral circuits (IO, input/output). Microcomputer MC, monitoring unit CU, and peripheral circuits IC are connected in series via a serial synchronous databus 2. Via its data output line MC\_Dout, microcomputer MC transmits the data output signals through databus 2 to the bus users and simultaneously receives the data input signals via its data input line MC\_Din. Using the

signal SAM (sample), the bus users store the data received in their storage registers.

There are additional connecting lines between microcomputer MC and monitoring unit CU, namely a shared supply line VDD or alternatively, a plurality of supply lines VDD for a digital and analog supply of microcomputer MC. Finally, IDDQ handshake line IDDQ-HDSHK, which are used for controlling the quiescent current measurement (IDDQ measurement) of microcomputer MC, run between microcomputer MC and monitoring unit CU. So-called disabling paths 3 lead from monitoring unit CU to external warning lamps and/or relays to manipulate the safety-critical applications to be controlled, depending on whether monitoring unit CU detects an error of microcomputer MC. Peripheral circuits IO have connecting lines 4 to safety-critical application 5 to be controlled.

After control unit 1 is switched on, the quiescent current is measured to check the functionality of microcomputer MC. While control unit 1 is in operation, the functionality of microcomputer MC is checked in that it regularly receives test data records, and the corresponding second test data output signal of the MC is compared to an error-free first test data output signal calculated by monitoring unit CU.

Figure 2 shows a detailed overview of a block diagram of the control unit 1 from Figure 1. Monitoring unit CU includes a control system 6 of monitoring unit CU, a measuring run control 7 for the IDDQ measurement, an IDDQ measuring circuit 8, and a voltage supply 9. Control system 6 of monitoring unit CU includes a test data signal generator 10, a response generator 11, and a comparator 12. With the aid of test data signal generator 10, a test data input signal is applied to

microcomputer MC, and the microcomputer determines a second test data output signal as a function of the test data input signal and its own internal states. Response generator 11 processes the same test data input signal and forms a 5 corresponding first test data output signal. In comparator 12, the first test data output signal of monitoring unit CU is compared to the second test data output signal of microcomputer MC. A trigger generator 13 determines the instant at which the second test data output signal of 10 microcomputer MC is available at comparator 12, given an error-free, functioning microcomputer MC.

Control system 6 of monitoring unit CU further has a error counter 14, which counts an error, in the event that the second test data output signal of microcomputer MC is not consistent with the first test data output signal of monitoring unit CU, and/or in the event that the second test data output signal of microcomputer MC is available at 15 comparator 12 at a different instant than the one determined by trigger generator 13.

Furthermore, control system 6 of monitoring unit CU has a test data register 17, which is used for transmitting and receiving test data.

25 Finally, control system 6 of monitoring unit CU also has an initialization circuit 15, which receives an initialization signal RST from voltage supply 9 after control unit 1 is switched on and subsequently synchronizes monitoring unit CU 30 with microcomputer MC in that the monitoring unit waits for the first data transmission of the MC. Initialization circuit 15 subsequently activates test data signal generator 10 and error counter 14.

In test data signal generator 10, the test data input signals for microcomputer MC are generated in a virtually random order by a feedback shift register. With the aid of the Reed-Muller codes, the bit string for the corresponding first test data output signal is formed in response generator 11, for every test data input signal. This code is used to maintain a distance that is as great as possible in the space of numbers of the test data output signals (hamming distance) In 5 comparator 12, the first test data output signal determined in response generator 11 is then compared to the actual second test data output signal of microcomputer MC.

20  
25  
30  
35  
40  
45  
50  
55  
60  
65  
70  
75  
80  
85  
90  
95

The instant of the comparison is specified by trigger generator 13. This ensures that the time slices in microcomputer MC proceed correctly. Comparator 12 not only checks the second test data output signal of the MC for the correct data value but also to determine whether the test data output signal is transmitted within a specific timing window. If the value and instant of the second test data output signal of the MC are correct, error counter 14 is decremented, and the safety-critical application to be controlled is kept in an active state via a signal interface 16 in that external warning lights are switched off and the relays for triggering application 5 are activated.

25

In every cycle following this first cycle, the instant and value of the second test data output signal of the MC must be correct to prevent error counter 14 from responding immediately. Error counter 14 has a plurality of response 30 thresholds to prevent control unit 1 or application 5 from being switched off in the case of a singular disturbance and to enable microcomputer MC to check the disabling path. The first step blocks the valve output stages via signal EN and

switches off the voltage supply of the valves via valve relay VRA. The display of the warning lights SILA is delayed by one cycle, so that there is no display when testing the disabling path.

5

If a test data input signal is responded to at the wrong instant or with an incorrect value, the same test data input signal is applied again to microcomputer MC until the instant and value are correct. If this does not occur within a predefined time period, monitoring unit CU switches off the control unit 1, and it can no longer be activated even by correct responses.

DE2333  
25  
DE2333  
20  
DE2333  
25  
DE2333  
20

After control unit 1 is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected instants of a test program. The communication between microcomputer MC and monitoring unit CU for measuring the quiescent current is carried out via the two handshake lines START and END. While the quiescent current is being measured, microcomputer MC stops clock generator CLK. Between monitoring unit CU and microcomputer MC are two separate voltage supply lines, VDD\_digital for supplying the digital component of microcomputer MC and VDD\_analog for supplying the analog component of microcomputer MC. The quiescent current is measured in voltage supply line VDD\_digital.

The quiescent current measurement is enabled after the voltage supply is switched on via signal IDDO\_EN of control system 6 of monitoring unit CU. The successful completion of the quiescent current measurement is signalized to control system 6 of monitoring unit CU by signal IDDO\_FIN. Consequently, monitoring unit CU advances the test run in that initialization circuit 15 enables test data signal generator

10 via a signal `IDDQ_OK`.

Figure 3 shows a circuit configuration for measuring the quiescent current including a two-wire handshake. Figure 4  
5 shows the timing diagram of measuring run control 7 for the quiescent current measurement from Figure 3. After control unit 1 is switched on, microcomputer MC starts its self-test. Part of this self-test is the quiescent current measurement. If the functional sequence in microcomputer MC reaches the  
10 quiescent current test, the START signal is activated. At instant  $T_1$ , the quiescent current measurement is activated by signal `_Act`. The output of comparator 12 for the quiescent current measurement is evaluated after time  $T_2$ . If the value is acceptable, microcomputer MC is activated again by the END signal. If the value is outside of a limiting value, the measurement is repeated. The number of repetitions is preset. If repeating the measurement also does not produce a correct response, the measurement is discontinued, and monitoring unit CU does not switch on microcomputer MC but remains in a fail-safe mode. When all quiescent current measurements are completed, signal `IDDQ_FIN` is set to HIGH. Consequently, control system 6 of monitoring unit CU resets signal `IDDQ_EN` from HIGH to LOW.

25

What is claimed is:

1. A control unit (1) for controlling safety-critical applications (5), having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO), wherein the monitoring unit (CU) has first means for measuring the quiescent current of the microcomputer (MC); at least one quiescent current handshake line (IDDQ-HDSHK) for controlling the measurement of the quiescent current runs between the first means of the CU and the MC; the CU has second means for applying a test data input signal for processing the test data output signal and for comparing the corresponding test data output signal of the MC to the corresponding test data output signal of the CU; and at least one test data signal transmission line runs between the second means of the CU and the MC.
2. The control unit (1) as recited in Claim 1, wherein the first means includes an IDDQ measuring circuit (8), a voltage supply (9), an IDDQ measuring run control (MAS) (7), and a control system (6) of the CU; and the connection between the first means and the MC includes two handshake lines (START, END), which run from the IDDQ-MAS to the MC, and at least one voltage supply line (VDD), which runs from the voltage supply (9) to the MC, at least one of the voltage supply lines (VDD) running through IDDQ measuring circuit (8).
3. The control unit (1) as recited in Claim 2, wherein two voltage supply lines (VDD\_analog, VDD\_digital) run between the voltage source (9) and the MC, one voltage supply line (VDD\_digital) running through the IDDQ measuring circuit (8).
4. The control unit (1) as recited in Claim 1, wherein the

first means includes an IDDQ measuring circuit (8), a voltage supply (9), an IDDQ measuring run control (MAS) (7), and a control system (6) of the CU; and the connection between the first means and the MC includes four handshake lines (START, END, CLK, PWR\_DN), which run from the IDDQ-MAS (7) to the MC, and at least one voltage supply line (VDD), which runs from the voltage supply (9) to the MC, at least one of the voltage supply lines (VDD) running through IDDQ measuring circuit (8).

5. The control unit (1) as recited in one of Claims 2 through 4, wherein the first means have an initialization circuit (15), which, after the control unit (1) is switched on, receives an initialization signal (RST) from the voltage source (9) and subsequently transmits an enable signal (IDDQ\_EN) to the IDDQ-MAS (7) to enable the IDDQ measurement.

6. The control unit (1) as recited in one of Claims 1 through 5, wherein the second means include a test data signal generator (10) for applying a test data input signal to the MC, a response generator (11) for processing the test data input signal and for forming a corresponding test data output signal, a test data register (17) for transmitting and receiving the test data, and a comparator (12) for comparing the test data output signal of the MC to the test data output signal of the CU; and the connection between the second means and the MC includes at least one test data transmission line, which runs between the test data register (17) and the MC.

7. The control unit (1) as recited in Claim 6, wherein the connection between the second means and the MC includes two test data transmission lines (CU\_Dout, CU\_Din).

8. The control unit (1) as recited in Claim 6 or 7, wherein

the second means have a trigger generator (13), which determines the instant at which the test data output signal of the MC is available at the comparator (12), given an error-free MC.

9. The control unit (1) as recited in one of Claims 6 through 8, wherein the second means have an error counter (14), which counts an error, in the event that the test data output signal of the MC is not consistent with the test data output signal of the CU, and/or in the event that the test data output signal of the MC is available at the comparator (12) at a different instant than the one determined by the trigger generator (13).

10. The control unit (1) as recited in Claim 9, wherein the error counter (14) has a plurality of response thresholds, exceeding the response threshold resulting in a different reaction in each case.

11. The control unit (1) as recited in one of Claims 6 through 10, wherein the first means have an initialization circuit (15), which receives an initialization signal (RST) from the voltage source (9) after the control unit (1) is switched on, subsequently synchronizes the CU with the MC, and then activates the test data signal generator (10) and the error counter (14).

12. A method for testing a microcomputer (MC) of a control unit (1) for controlling safety-critical applications, the control unit having the microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO), wherein the quiescent current of the MC is measured, a test data input signal is applied to the MC, a first test data

output signal is determined, and a second test data output signal of the MC is compared to the first test data output signal of the CU.

13. The method as recited in Claim 12, wherein the quiescent current measurement is in the form of an IDDQ measurement.

14. The method as recited in Claim 13, wherein the IDDQ measurement is carried out after the control unit (1) is switched on after being enabled by an enable signal (IDDQ\_EN).

15. The method as recited in Claim 13 or 14, wherein the second test data output signal of the MC is compared to the first test data output signal of the CU while the control unit (1) is in operation.

16. The method as recited in one of Claims 13 through 15, wherein clock generator (clock, CLK) is stopped by the MC during the IDDQ measurement and/or while the second test data output signal of the MC is being compared to the first test data output signal of the CU.

17. The method as recited in one of Claims 13 through 16, wherein the test data input signal of the CU is generated by a test data signal generator (10), via a feedback shift register.

18. The method as recited in Claim 17, wherein the test data output signal of the CU is generated by a response generator (11), with the aid of the Reed-Muller code.



Fig. 1



Fig. 4



Fig. 2



Fig. 3

R. J. 25-10

[10191/1923]

DECLARATION AND POWER OF ATTORNEY

As a below named inventor, I hereby declare that:

My residence, post office address and citizenship are as stated below next to my name.

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if plural names are listed below) of the subject matter which is claimed and for which a patent is sought on the invention entitled **CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS**, the specification of which was filed as International Application **PCT/DE00/00157** on January 18, 2000;

I hereby state that I have reviewed and understand the contents of the above-identified specification, including the claims.

I acknowledge the duty to disclose information which is material to the examination of this application in accordance with Title 37, Code of Federal Regulations, § 1.56(a).

I hereby claim foreign priority benefits under Title 35, United States Code, § 119 of any foreign application(s) for patent or inventor's certificate listed below and have also identified below any foreign application(s) for patent or inventor's certificate having a filing date before that of the application on which priority is claimed:

EV003629095

PRIOR FOREIGN APPLICATION(S)

| Number       | Country filed        | Day/month/year  | Priority Claimed     |
|--------------|----------------------|-----------------|----------------------|
| 199 02 031.0 | Fed. Rep. of Germany | 20 January 1999 | Under 35 USC 119 Yes |

And I hereby appoint Richard L. Mayer (Reg. No. 22,490) and Gerard A. Messina (Reg. No. 35,952) my attorneys with full power of substitution and revocation, to prosecute this application and to transact all business in the Patent and Trademark Office connected therewith.

Please address all communications regarding this application to:

KENYON & KENYON  
One Broadway  
New York, New York 10004  
CUSTOMER NO. 26646

Please direct all telephone calls to Richard L. Mayer at (212) 425-7200.

I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true; and further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that such willful and false statements may jeopardize the validity of the application or any patent issued thereon.

Inventor: Peter DOMINKE

Inventor's Signature: X Peter Dominke

Date: X 10. 9. 01

Residence: Rechentshofenerstr. 9  
74321 Bietigheim Bissingen DEX  
Federal Republic of Germany

Citizenship: Federal Republic of Germany

Post Office Address: Same as above.

Inventor: Wolfgang PFEIFFER

Inventor's Signature: Wolfgang Pfeiffer

Date: 07/25/01

Residence: Braunersbergsteige 13  
71723 Grossbottwar <sup>DE</sup>  
Federal Republic of Germany

Citizenship: Federal Republic of Germany

Post Office Address: Same as above.

100  
Inventor: Werner HARTER

Inventor's Signature: Werner HARTER

Date: X 07/26/01

Residence: Hummelberg 4  
75428 Illingen <sup>DE+</sup>  
Federal Republic of Germany

Citizenship: Federal Republic of Germany

Post Office Address: Same as above.

Inventor: Thomas LINDENKREUZ

Inventor's Signature: Thomas Lindenkreuz

Date: 08/16/01

Residence: Eugen-Bolz-Str. 21  
72766 Reutlingen *DE*  
Federal Republic of Germany

Citizenship: Federal Republic of Germany

Post Office Address: Same as above.

386018